Rob Stradling

@ejcx_ Hi. crt.sh is now working again.

👀👀crt.sh has been down at least the last 2 days... Wondering if they need help? I'm happy to lend a hand, but haven't really seen a story or any information about it.

@SMT_Solvers @jonathandata1 @Equifax The crt.sh web interface truncates large result sets for performance reasons, and I haven't yet found a way to efficiently sort by certificate expiry date before truncating. Try crt.sh/?Identity=equi…

@jonathandata1 If you have a moment to spare from Lovecraft drama. I could really use some OSINT on @Equifax dot com crypto keys. crt.sh is missing everything since 2020. Need them for a hearing tomorrow about this scam which never stopped and got worse. nytimes.com/2010/04/04/us/…

@rmhrisk crt.sh's (re)counting of expirations has now caught up.

@rmhrisk crt.sh has caught up on (re)counting issuances, but has not yet caught up on (re)counting expirations. See groups.google.com/g/crtsh/c/rbCw…

@julianor @ic0nz1 crt.sh has fallen significantly behind on ingesting new log entries (see crt.sh/monitored-logs). However, I was finally able to deploy some performance improvements this week, and I'm hoping the ingestion backlog will disappear within the next month or so.

@ic0nz1 Yes, looks like the cert is not listed in crt sh but facebook API has it.

SSL/TLS Certificate Transparency logs, while valuable, may not offer comprehensive detection against hijack and interception attacks. Caution and further measures advised ⚠️🧐

@eabalea @dfaranha @julianor @BenLaurie crt.sh is currently way behind on ingesting log entries, unfortunately (see crt.sh/monitored-logs). Performance improvements coming soon.

@dfaranha @julianor @BenLaurie Maybe check if crt.sh is late digesting the CT logs? Note that CT is not mandatory for issuance, only for some browser acceptance.

👋 need some help querying certificate transparency logs.

@Martijn___ @jedisct1 See also opensource.apple.com/releases/

@jedisct1 How did I not know this was in the public domain

MacOS 13.5 source code released github.com/apple-oss-dist…

@ericlaw Please try it now, using either the default "q=" search type (which is what the crt.sh front page search interface uses) or the more specific "cnlspkisha256=" search type. e.g., crt.sh/?cnlspkisha256… Implemented by github.com/crtsh/certwatc…

@_robstr Yeah, I think it's always "sha256/" source.chromium.org/chromium/chrom…

@_robstr Any idea if it would be straightforward to make CRT.sh accept the cert id format from Chrome Netlogs?

@ericlaw Ah, just saw your other tweet. Looks like it's a SHA-256 SubjectPublicKeyInfo thumbprint.

@ericlaw Is the prefix always "sha256/", or are there other options? Is the remainder of the string a base64-encoded certificate thumbprint? Or something else?

@bagder How about "unfurl" ?

Would you like a command line tool that can parse, manipulate and output (pieces of) URLs? Meet "urler" (which might change name soon if we agree on a better one) github.com/curl/urler

@testtlnls Ooops. Now fixed.

@rmhrisk @RME @letsencrypt Don't you mean 4283/minute?

@RME So the figure is less than 4283/s. To size the gap you can look at crt.sh/cert-populatio… and notice that only @letsencrypt published final certificates, the rest of the final certificates are crawler/researcher-observed certificates that were published to logs.

Happy to see merkle.town appears to be working again

@63BitsOfEntropy Yeah. #name-log-id" target="_blank" rel="nofollow noopener">rfc-editor.org/rfc/rfc9162#na… trac.ietf.org/trac/trans/tic… mailarchive.ietf.org/arch/msg/trans…

@Martijn___ @jschauma Announcing the removal of certificate_identity has been on my TODO list for...errm...far too long.

@Martijn___ @jschauma The certificate_identity table is a historical artifact from the original crt.sh database, which had int32 certificate IDs. As part of rebuilding the database to have int64 IDs, I switched to using postgres's Full Text Search instead.

@rmhrisk @jupenur Is there a defined mechanism for requesting SXG via ACME?

@jupenur And they do not do ACME :(

This is pretty neat because the pki.goog CA also supports the CanSignHttpExchanges extension. So now you can get SXG certs via ACME.

@pimterry @SectigoHQ You're welcome :-)

Much love to whoever at @SectigoHQ is running crt.sh/lintcert by the way - it'd be impossible to debug the intricate weirdnesses of TLS certificates without it!

WTF networking moment-of-the-day: did you know that you can have domain names with underscores in, but you can't create TLS certs for them? Totally practically possible, but since sometime after mid-2019 modern browsers now reject them outright: github.com/httptoolkit/ht…

@rmhrisk Actually, tbh I'd always assumed timstamp.dll was so named due to legacy DOS filename length restrictions (8 chars, then 3 for the extension). Turns out the truth is stranger. 🙂

@rmhrisk Oh, so Mr Tim Stamp never existed? 😆

Authenticode was introduced in June 1996. That is right, it is 26 years old.