mirror of
https://github.com/SSLMate/certspotter.git
synced 2025-06-27 10:15:33 +02:00
31f2316aa2
If -all_time is specified, scan the entirety of all logs, even existing logs. This matches user expectation better. Previously, -all_time had no impact on existing logs. The first time Cert Spotter is run, do not scan any logs, unless -all_time is specified. This avoids a several hour wait the first time Cert Spotter is run. If the user is interested in knowing about existing certificates, they can use the certspotter.com API or crt.sh. This is the same as existing behavior. When a new log is added, scan it in its entirety even if -all_time is not specified, so users are alerted to interesting certificates in the new log. Hopefully new logs will be small and this won't take too long! Previously, new logs were not scanned in their entirety unless -all_time was specified. Closes: #5
145 lines
6.0 KiB
Plaintext
145 lines
6.0 KiB
Plaintext
Cert Spotter is a Certificate Transparency log monitor from SSLMate that
|
|
alerts you when a SSL/TLS certificate is issued for one of your domains.
|
|
Cert Spotter is easier than other open source CT monitors, since it does
|
|
not require a database. It's also more robust, since it uses a special
|
|
certificate parser that ensures it won't miss certificates.
|
|
|
|
Cert Spotter is also available as a hosted service by SSLMate that
|
|
requires zero setup and provides an easy web dashboard to centrally
|
|
manage your certificates. Visit <https://sslmate.com/certspotter>
|
|
to sign up.
|
|
|
|
You can use Cert Spotter to detect:
|
|
|
|
* Certificates issued to attackers who have compromised a certificate
|
|
authority and want to impersonate your site.
|
|
|
|
* Certificates issued to attackers who are using your infrastructure
|
|
to serve malware.
|
|
|
|
* Certificates issued in violation of your corporate policy
|
|
or outside of your centralized certificate procurement process.
|
|
|
|
* Certificates issued to your infrastructure providers without your
|
|
consent.
|
|
|
|
|
|
USING CERT SPOTTER
|
|
|
|
The easiest way to use Cert Spotter is to sign up for an account at
|
|
<https://sslmate.com/certspotter>. If you want to run Cert Spotter on
|
|
your own server, follow these instructions.
|
|
|
|
Cert Spotter requires Go version 1.5 or higher.
|
|
|
|
1. Install Cert Spotter using go get:
|
|
|
|
go get software.sslmate.com/src/certspotter/cmd/certspotter
|
|
|
|
2. Create a file called ~/.certspotter/watchlist listing the DNS names
|
|
you want to monitor, one per line. To monitor an entire domain tree
|
|
(including the domain itself and all sub-domains) prefix the domain
|
|
name with a dot (e.g. ".example.com"). To monitor a single DNS name
|
|
only, do not prefix the name with a dot.
|
|
|
|
3. Create a cron job to periodically run:
|
|
|
|
certspotter
|
|
|
|
When Cert Spotter detects a certificate for a name on your watchlist,
|
|
it writes a report to standard out, which the Cron daemon emails
|
|
to you. Make sure you are able to receive emails sent by Cron.
|
|
|
|
Cert Spotter also saves a copy of matching certificates in
|
|
~/.certspotter/certs.
|
|
|
|
You can add and remove domains on your watchlist at any time. However,
|
|
the certspotter command only notifies you of certificates that were
|
|
logged since adding a domain to the watchlist, unless you specify the
|
|
-all_time option, which requires scanning the entirety of every log
|
|
and takes several hours to complete with a fast Internet connection.
|
|
To examine preexisting certificates, it's better to use the Cert
|
|
Spotter service <https://sslmate.com/certspotter>, the Cert Spotter
|
|
API <https://sslmate.com/certspotter/api>, or a CT search engine such
|
|
as <https://crt.sh>.
|
|
|
|
|
|
COMMAND LINE FLAGS
|
|
|
|
-watchlist FILENAME
|
|
File containing identifiers to watch, one per line, as described
|
|
above (use - to read from stdin). Default: ~/.certspotter/watchlist
|
|
-no_save
|
|
Do not save a copy of matching certificates.
|
|
-all_time
|
|
Scan for certificates from all time, not just those added since
|
|
the last run of Cert Spotter. Unless this option is specified,
|
|
no certificates are scanned the first time Cert Spotter is run.
|
|
-logs FILENAME
|
|
JSON file containing logs to scan, in the format documented at
|
|
<https://www.certificate-transparency.org/known-logs>.
|
|
Default: use the logs trusted by Chromium.
|
|
-state_dir PATH
|
|
Directory for storing state. Default: ~/.certspotter
|
|
-verbose
|
|
Be verbose.
|
|
|
|
|
|
WHAT CERTIFICATES ARE DETECTED BY CERT SPOTTER?
|
|
|
|
Any certificate that is logged to a Certificate Transparency log trusted
|
|
by Chromium will be detected by Cert Spotter. Currently, the following
|
|
certificates are logged:
|
|
|
|
* EV certificates
|
|
|
|
* All certificates issued by the following CAs:
|
|
|
|
* Let's Encrypt <https://letsencrypt.org/certificates/#certificate-transparency>
|
|
* StartCom <https://www.startssl.com/NewsDetails?date=20160323>
|
|
* Symantec <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html>
|
|
* WoSign <https://www.wosign.com/english/News/2016_wosign_CT.htm>
|
|
|
|
* All DV certificates issued by GlobalSign <https://www.globalsign.com/en/blog/google-updates-certificate-transparency-policy/>.
|
|
|
|
* Certificates that are detected when crawling web pages and doing
|
|
Internet-wide scans.
|
|
|
|
Starting from October 2017, all new certificates must be logged (and
|
|
therefore detectable by Cert Spotter) to be trusted by Google Chrome.
|
|
|
|
|
|
SECURITY
|
|
|
|
Cert Spotter assumes an adversarial model in which an attacker produces
|
|
a certificate that is accepted by at least some clients but goes
|
|
undetected because of an encoding error that prevents CT monitors from
|
|
understanding it. To defend against this attack, Cert Spotter uses a
|
|
special certificate parser that keeps the certificate unparsed except
|
|
for the identifiers. If one of the identifiers matches a domain on your
|
|
watchlist, you will be notified, even if other parts of the certificate
|
|
are unparsable.
|
|
|
|
Cert Spotter takes special precautions to ensure identifiers are parsed
|
|
correctly, and implements defenses against identifier-based attacks.
|
|
For instance, if a DNS identifier contains a null byte, Cert Spotter
|
|
interprets it as two identifiers: the complete identifier, and the
|
|
identifier formed by truncating at the first null byte. For example, a
|
|
certificate for example.org\0.example.com will alert the owners of both
|
|
example.org and example.com. This defends against null prefix attacks
|
|
<http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf>.
|
|
|
|
SSLMate continuously monitors CT logs to make sure every certificate's
|
|
identifiers can be successfully parsed, and will release updates to
|
|
Cert Spotter as necessary to fix parsing failures.
|
|
|
|
Cert Spotter understands wildcard and redacted DNS names, and will alert
|
|
you if a wildcard or redacted certificate might match an identifier on
|
|
your watchlist. For example, a watchlist entry for sub.example.com would
|
|
match certificates for *.example.com or ?.example.com.
|
|
|
|
Cert Spotter is not just a log monitor, but also a log auditor which
|
|
checks that the log is obeying its append-only property. A future
|
|
release of Cert Spotter will support gossiping with other log monitors
|
|
to ensure the log is presenting a single view.
|