Monitoring Certificate Transparency logs for fraudulent SSL certs with Scumblr

I read with interest this article by Facebook, about detecting (possibly) fraudulent SSL certificates being issued by CAs.

I wasn't previously aware of Google's Certificate Transparency initiative, but it seems like a good idea. Basically there exists a sort of blockchain of public, append-only logs of all SSL certs that are being issued (at least, where the CA is cooperating to publish that info?).

Facebook don't really cover how they are monitoring the logs for such info, but it immediately occurred to me that this is a good use case for Netflix's Scumblr Threat Intelligence tool, which I have written about before and contributed to (the Github and Reddit providers).

It makes sense to monitor the CT logs for a domain and alert if entries are found. Here's a Scumblr provider that does just that.

This provider makes use of the publicly available https://ctwatch.net, which outputs the data as an Atom feed.

The provider also allows you to 'ignore' a comma-delimited list of known serial numbers from the results, in order to avoid false positives.

Note: the output of CTwatch.net's results is a bit awkward: the URL that Scumblr links to, is that of the raw base64-encoded MerkleTreeLeaf object from the original CT log. If you want to decode that, you can do so by executing a php script like this:

<?php

function mtl_to_x509($base64str) {
    $raw = base64_decode($base64str);
    // Parse the decoded string
    $cert_length = unpack('N', chr(0).substr($raw, 12, 3))[1];
    $cert_as_asn1 = substr($raw, 15, $cert_length);
    return $cert_as_asn1;
}

$example = "AAAAAAFFULGLpgAAAAUoMIIFJDCCBAygAwIBAgIDEduMMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0EwHhcNMTQwNDA4MTE1MjQ4WhcNMTUwNDExMTAzMzUwWjCBuTEpMCcGA1UEBRMgM1RiOVZwOFFlVWRVY2t2d0NQTzVETmU0dVhpeFZtSTcxEzARBgNVBAsTCkdUODA2ODc2NzIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDDAoqLm1pZzUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lexUFYFOZw24UDs7If2PbQTDOXvxF8MRAqJBblKUbzrzxkm15A02KS3DXBiAhrgO3MKtd2UTjGjhkRVdwa9pQb1hJUNtjrPzgOZl8qLkF22LXRI5YFYkRF8ard5j+XLG30OJmQNtiLczL+jup/F8JeKc3BTi2rt3CU6SF+TLANudpup6prALymvitFQaJ0k6Df3gbDfzj28nuM5VFrKRK4ooWEdoZTbQiq5DY77h9TMIoNnGHqo19oaa/mp8sl6T/Hsc4B9HXUVniQVpXLGXwa0RibTzpf1jkl35djjHE6ZmFSC5L7RprVZqYGHdV1iFCTQIwZc3bXSdTNIco/nGwIDAQABo4IBrzCCAaswHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHREEGDAWggoqLm1pZzUubmV0gghtaWc1Lm5ldDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUiNww77xRFcrYpebEfbLYsO5cP2QwDAYDVR0TAQH/BAIwADB4BggrBgEFBQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3RydXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQAXvFCz8sxjT6qs8evtXEFLMuQA3h6kPGzwguCRVlP/Jr6IUg0/fOKXARAFeGrPGHOZyp75Yt2teoDbl1pOZB0IijPtJjP057/4F5Dq0u1050IpeW+WJ7B+5UrTCXeH9FPemJAbM8MJqGvFgJVvYjS1kB8TYby1HgOt7UZa1kWJu/vwNirCAds7osYGz56np9/Y16K6xrlUh9YM7zFg0cP14d4htrcHLy5+686E7NjR7qs8v3Xm4sDU7szMZJ2Jwd7wgrdnSPSxJyJZ7FM3t7AN0ffQYOLNbMqT20Jk8nWE8cVFzLgyycNDqO/fDMJYX9LLuwCn80T7EXUlQgAzqbYLAAA=";

print mtl_to_x509($example);

(The value of $example here is the 'leaf_input' data taken from the MerkleTreeLeaf object, e.g the object you downloaded by clicking on 'Link' in the Scumblr result output.)

.. then pipe that through the openssl command line tool to make it readable e.g:

php test.php | openssl x509 -inform der -noout -text

Thanks to this Stackoverflow entry for that last trick!

This provider's in a pull request, it might make it into Scumblr proper, we'll see. EDIT: it did!

Tags: