Friday, November 2, 2012

Announcing the ICSI Certificate Notary

We are happy to announce the ICSI Certificate Notary today. This service provides near real-time reputation information on a large number of TLS/SSL certificates seen in the wild, collected continuously from a set of partner network sites. The notary’s data includes the time when a certificate was first and last seen, and whether we can establish a valid chain to a root certificate from the Mozilla root store.

Since the beginning of this year we collaborate with operations at about ten large network sites to passively extract certificates from their upstream traffic using Bro. This has allowed us to build a certificate database that now comprises roughly half a million unique web certificates from over 8 billion connections, representing the activity of estimated 220,000 users. (In fact, we have collected 7 million unique certificates but the majority is non-web activity and hence excluded from the notary.)

You can use the service by sending a DNS request for an A or TXT record to:

<sha1>.notary.icsi.berkeley.edu

The token <sha1> represents the SHA1 digest of the certificate to query, which you may find when consulting your browser for details about a certificate. For A record queries, the result comes back either as the address 127.0.0.1 to indicate that our data providers have seen the certificate, as 127.0.0.2 if we could recently validate the certificate against the Mozilla root store, or NXDOMAIN if we have not seen the certificate. For TXT record queries, the notary returns key-value pairs with more details. Here is an example reply:

"version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"

For further details, usage instructions, and background reading, please visit the notary website at http://notary.icsi.berkeley.edu. We much appreciate your feedback at this early stage, both positive works-for-me notices as well as problems and suggestions for improvements.