[SSL Observatory] Perspectives+Observatory

Ondrej Mikle ondrej.mikle at nic.cz
Fri Sep 30 09:21:25 PDT 2011


Hi,

I've created a fork of the Perspectives notary server, that takes 
"snapshots" of the SSL/TLS certificates of hosts.

Comparison to original Perspectives server:

- stores whole certificates with complete chain sent by server
- uses PostgreSQL instead of sqlite (suitable for millions of records)
- little bit different semantics of "start_time" and "end_time" (they 
now mean first and last time cert was seen with possible overlaps, this 
is most notable in "CDN-like" hosts hidden behind proxy)
- still has the HTTP API for Perspectives FF extension

Currently the server scans daily approx. 1.5 M hostnames (I've fed it 
names from old Observatory DB dumps, couple thousand hosts from toplists 
like Alexa and Quantcast, etc.) DB contains cca 1.1+ M unique leaf certs 
and unique 6500 CA (i.e. non-leaf) certs.

One point is to collect data (as a part of distributed observatory), 
though there's no "bulk-fetch" API yet. (I can provide the SQL dump.)

There are two new HTTP methods:

http://notary1.constructibleuniverse.net:8080/get_certs?host=encrypted.google.com&port=443 
fetches the leaf certificates (client for validating signature is in the 
sources)

http://notary1.constructibleuniverse.net:8080/refresh_scan?host=encrypted.google.com&port=443 
forces rescan of the host

Later I'll add more efficient bulk-query API so that the data can be 
fetched/compared automatically, in a similar way like Ralph Holz did 
with the scans from multiple places.

The source code can be found at 
git://git.nic.cz/perspectives-observatory/ . The public key of the 
testing server:

notary1.constructibleuniverse.net:8080
-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAFzVqLz5qmyMwd4XuXGPtyDu0VO
hvfpt3fUJz/2bGWRDcWPIZw/1Gzj2VQjDSRXuAnjsnJY46s3P50HDYZ764AYvggd
vD8KjjNv5R5r6jW83bqJJPI2mRJR/Gu0iKZn7H7X8tKuL0qH5ukRAsonYj59qk2N
THZkBtiReqYoMv3+FzxJAbXM3rEp0+x2NzM9MeEA8JwYmCBqXZucDeL8N/WSvqOK
alVDUr82uj8CAwEAAQ==
-----END PUBLIC KEY-----

Regards,
  O. Mikle



More information about the Observatory mailing list