We are happy to announce the ICSI Certificate Notary today. This service provides near real-time reputation information on a large number of TLS/SSL certificates seen in the wild, collected continuously from a set of partner network sites. The notary’s data includes the time when a certificate was first and last seen, and whether we can establish a valid chain to a root certificate from the Mozilla root store.
Since the beginning of this year we collaborate with operations at about ten large network sites to passively extract certificates from their upstream traffic using Bro. This has allowed us to build a certificate database that now comprises roughly half a million unique web certificates from over 8 billion connections, representing the activity of estimated 220,000 users. (In fact, we have collected 7 million unique certificates but the majority is non-web activity and hence excluded from the notary.)
You can use the service by sending a DNS request for an A or TXT record to:
<sha1> represents the SHA1 digest of the certificate to query,
which you may find when consulting your browser for details about a
certificate. For A record queries, the result comes back either as the address
127.0.0.1 to indicate that our data providers have seen the certificate, as
127.0.0.2 if we could recently validate the certificate against the Mozilla
root store, or
NXDOMAIN if we have not seen the certificate. For TXT record
queries, the notary returns key-value pairs with more details. Here is an
"version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"
For further details, usage instructions, and background reading, please visit the notary website at http://notary.icsi.berkeley.edu. We much appreciate your feedback at this early stage, both positive works-for-me notices as well as problems and suggestions for improvements.