[SSL Observatory] Perspectives+Observatory
Ondrej Mikle
ondrej.mikle at nic.cz
Fri Sep 30 09:21:25 PDT 2011
Hi,
I've created a fork of the Perspectives notary server, that takes
"snapshots" of the SSL/TLS certificates of hosts.
Comparison to original Perspectives server:
- stores whole certificates with complete chain sent by server
- uses PostgreSQL instead of sqlite (suitable for millions of records)
- little bit different semantics of "start_time" and "end_time" (they
now mean first and last time cert was seen with possible overlaps, this
is most notable in "CDN-like" hosts hidden behind proxy)
- still has the HTTP API for Perspectives FF extension
Currently the server scans daily approx. 1.5 M hostnames (I've fed it
names from old Observatory DB dumps, couple thousand hosts from toplists
like Alexa and Quantcast, etc.) DB contains cca 1.1+ M unique leaf certs
and unique 6500 CA (i.e. non-leaf) certs.
One point is to collect data (as a part of distributed observatory),
though there's no "bulk-fetch" API yet. (I can provide the SQL dump.)
There are two new HTTP methods:
http://notary1.constructibleuniverse.net:8080/get_certs?host=encrypted.google.com&port=443
fetches the leaf certificates (client for validating signature is in the
sources)
http://notary1.constructibleuniverse.net:8080/refresh_scan?host=encrypted.google.com&port=443
forces rescan of the host
Later I'll add more efficient bulk-query API so that the data can be
fetched/compared automatically, in a similar way like Ralph Holz did
with the scans from multiple places.
The source code can be found at
git://git.nic.cz/perspectives-observatory/ . The public key of the
testing server:
notary1.constructibleuniverse.net:8080
-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAFzVqLz5qmyMwd4XuXGPtyDu0VO
hvfpt3fUJz/2bGWRDcWPIZw/1Gzj2VQjDSRXuAnjsnJY46s3P50HDYZ764AYvggd
vD8KjjNv5R5r6jW83bqJJPI2mRJR/Gu0iKZn7H7X8tKuL0qH5ukRAsonYj59qk2N
THZkBtiReqYoMv3+FzxJAbXM3rEp0+x2NzM9MeEA8JwYmCBqXZucDeL8N/WSvqOK
alVDUr82uj8CAwEAAQ==
-----END PUBLIC KEY-----
Regards,
O. Mikle
More information about the Observatory
mailing list