12 comments

[ 3.2 ms ] story [ 29.1 ms ] thread
This is really nice. I have been using the atom feed provided by https://crt.sh/ and an ifttt recipe to send me an email when a new cert is logged¹, but this service looks really nice and made exactly for this purpose.

¹https://www.linickx.com/monitor-for-fake-certificates-with-c...

edit: my ifttt recipe: https://ifttt.com/recipes/444453-get-notified-when-a-certifi...

https://ctadvisor.lolware.net does about the same.
> Security:

> Every useless organisation and its dog currently claims to "take security very seriously"

already like them :D

Thank you for mentioning my service.

When I first posted it on HN, it went offline literally seconds later in the Linode DDoS (it's now on AWS). Naturally, it's largely flown under the radar since.

Also worth looking at is Google's Certificate Transparency project [0], [1].

  Certificate Transparency makes it possible to detect SSL
  certificates that have been mistakenly issued by a certificate
  authority or maliciously acquired from an otherwise
  unimpeachable certificate authority. It also makes it possible
  to identify certificate authorities that have gone rogue and
  are maliciously issuing certificates.
Certificate Transparency Lookup Tool [2].

[0] https://www.certificate-transparency.org/

[1] https://github.com/google/certificate-transparency

[2] https://www.google.com/transparencyreport/https/ct/

Yes, they're monitoring these CT logs..
Interesting to see how CloudFlare is generating certificates. I never looked very closely at the certificate for my domains but I see they batch them together with others. This happens to contain all the domains I have registered with my CloudFlare account.

  *.cobaltlightning.com
  cobaltlightning.com
  *.crimsonapparel.com.au
  crimsonapparel.com.au
  *.davesweboflies.com
  davesweboflies.com
  *.drjoe.ca
  drjoe.ca
  *.echointeltech.com
  echointeltech.com
  *.goel.io
  goel.io
  *.hodinhvietnam.com
  hodinhvietnam.com
  *.mior.ca
  mior.ca
  *.odesaemlak.com
  odesaemlak.com
  *.ontariogradnet.ca
  ontariogradnet.ca
  *.personalinjury-solicitorsbirmingham.co.uk
  personalinjury-solicitorsbirmingham.co.uk
  sni26843.cloudflaressl.com
  *.szerverit.hu
  szerverit.hu
  *.teveo.com.co
  teveo.com.co
Yes, this is currently the default for Free and Pro plans. Note that we're working on some additional options to allow you to move to dedicated certificates (and add additional domains above/beyond a single-level wildcard).
Is there something like this that that:

1. checks to see if there is a certificate issue for the domain

2. If yes, checks exp date, issuer and certificate file

3. Logs / triggers an event

4. If No, logs triggers an event

Can you clarify how what you're looking for is different to "alert me if a certificate is created" ?