Certificate Transparency

Certificate Transparency is a new layer of security on top of TLS ecosystem

Tool description

Certificate Transparency is a new layer of security on top of TLS ecosystem. It will be mandatory in Chrome for new certificates in late 2017. Apart from Chrome, no other browser supports Certificate Transparency yet. This Firefox plugin makes the browser compatible with Certificate Transparency checking the SCT (Signed Certificate Timestamp) embedded in the certificates that protects the webs the user visits.

Functionalities

A certificate is considered “logged” if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates.

Our plugin works with lots of logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google ‘Pilot’, Google ‘Aviator’, DigiCert Log Server, Google ‘Rocketeer’, Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google ‘Submariner’, Izenpe 2nd, StartCom CT, Google ‘Skydiver’, Google ‘Icarus’ , GDCA, Google ‘Daedalus’, PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

SCT may be delivered by three different ways:
- Embedded in the certificate
- With a TLS extension
- In OCSP

It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. Even for Mozilla engineers. Our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.
Certificate Transparency Checker
OUR TOOLS

Pesto

THREATS AND VULNERABILITIES

Python script that extracts and saves in a database some PE file security characteristics or flags searching for every PE binary in a whole directory, and saving results in a database.

GmtCheck

CONFIDENCE ON THE INTERNET

With GmtCheck you will be able to know the time zone from where an app has been created.

Metashield Clean Up

THREATS AND VULNERABILITIES

Offer a public service of analysis and discovery from any device the metadata contained in your files.