The internet relies on SSL/TLS certificates to create secure connections between your browser and websites by encrypting the data exchanged. These certificates help verify a website's identity, ensuring that you’re communicating with the real site. However, sometimes attackers can take advantage of fake or incorrect certificates to trick users into thinking they are visiting a trustworthy site.
To prevent this, Certificate Transparency (CT) logs are used. These logs keep track of all issued certificates, making it easier to spot any suspicious or unauthorized certificates before they can be misused.
Certificate Transparency (CT) logs are public, append-only ledgers that record the issuance of SSL/TLS certificates. Whenever a Certificate Authority (CA) issues a new certificate, it must submit it to multiple CT logs. Independent organisations maintain these logs and are open for anyone to inspect.
There are two popular options for searching CT logs:
| Tool | Key Features | Use Cases | Pros | Cons |
|---|---|---|---|---|
| crt.sh | User-friendly web interface, simple search by domain, displays certificate details, SAN entries. | Quick and easy searches, identifying subdomains, checking certificate issuance history. | Free, easy to use, no registration required. | Limited filtering and analysis options. |
| Censys | Powerful search engine for internet-connected devices, advanced filtering by domain, IP, certificate attributes. | In-depth analysis of certificates, identifying misconfigurations, finding related certificates and hosts. | Extensive data and filtering options, API access. | Requires registration (free tier available). |
While crt.sh offers a convenient web interface, you can also leverage its API for automated searches directly from your terminal. Let's see how to find all 'dev' subdomains on facebook.com using curl and jq:
curl -s "<https://crt.sh/?q=facebook.com&output=json>" | jq -r '.[]
| select(.name_value | contains("dev")) | .name_value' | sort -u
curl -s "<https://crt.sh/?q=facebook.com&output=json>": This command fetches the JSON output from crt.sh for certificates matching the domain facebook.com.jq -r '.[] | select(.name_value | contains("dev")) | .name_value': This part filters the JSON results, selecting only entries where the name_value field (which contains the domain or subdomain) includes the string "dev". The r flag tells jq to output raw strings.sort -u: This sorts the results alphabetically and removes duplicates.