Today, we are happy to publicly announce the ICSI Certificate Notary. This service provides near real-time reputation information on a large number of TLS/SSL certificates seen in the wild, collected continuously by Bro at several partner network sites. The notary’s data includes the time when a certificate was first and last seen, and whether we can establish a valid chain to a root certificate from the Mozilla root store. You can use the service by sending a DNS request for an A or TXT record to:
The token <sha1> represents the SHA1 digest of the certificate to query. For A record queries, the result comes back either as the address 127.0.0.1 to indicate that our data providers have seen the certificate, as 127.0.0.2 if we could recently validate the certificate against the Mozilla root store, or NXDOMAIN if we have not seen the certificate. For TXT record queries, the notary returns key-value pairs with more details. Here is an example lookup:
dig +short txt C1956DC8A7DFB2A5A56934DA09778E3A11023358.all.notary.icsi.berkeley.edu "version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"
Incidentally, Vlad Grigorescu recently taught Bro how to handle DNS TXT records, which now opens new possibilities in terms of real-time certificate analysis. If you do not remember how to perform DNS lookups from a Bro script, here is an example:
Vlad’s additions now also enable TXT queries via the function lookup_hostname_txt. The snippet below asks our notary for details of each certificate in the network traffic:
Please let us know if you have questions, find problems, or have feature requests.