Discover more of your servers from the Certificate Transparency log

Cryptosense
January 31, 2017

At our crypto service discovery site discovery.cryptosense.com you don't have to enter the qualified domain name of a server to test (like www.mydomain.com) - you can just enter a partial name like mydomain.com and the tool will query DNS records to look for machines. Previously, we used to do this by looking for common machines like www.mydomain.com and vpn.mydomain.com. Recently, we added a feature to query the certificate transparency log to look for certificates registered to this domain. This results in much better coverage of machines. The example screenshot below shows part of the results when querying for bbc.co.uk

Once you've got the list, discovery will scan all the machines for crypto services including TLS, STARTTLS (SMTP, IMAP,..) and SSH. If you create a free account, you can add all these machines to the list that you monitor, and sort them in result order to easily spot misconfigured servers.Some domains have thousands of certificates in the log. In the free online version of discovery, we timeout the query to certificate transparency server and only return a limited number of results. If you operate a lot of machines and are interested in trying a free discovery account with all your machines pre-loaded, get in touch and we'd be happy to set it up.