20

Am I going crazy or is there no way to access any of the "known logs" listed on Google's Certificate Transparency site? Every single one of the links listed there 404s, even though the list is allegedly up to date. Is there some arcane way of accessing them that everyone is already supposed to know? The website says nothing about how to go about it.

I did find this library, which seems to provide some sort of interface with a log, but it appears to be using regular HTTPS in order to access them, just as a browser or curl would (to my understanding), which is what is 404ing for me. Am I missing something here or is every single link in the Known Logs list really dead?

(And yes, I posted this question on their forums but no one has answered.)

EDIT: I'm looking for a way to access them via an API, not through a human-computer interface like a web form.

user124384
  • 311
  • 1
  • 2
  • 6

3 Answers3

18

The CT endpoints are correct, however you need to access it with the correct paths and parameters instead of the root endpoint.

For example, to access the STH (signed tree head), you use the URL: https://ct.googleapis.com/pilot/ct/v1/get-sth

Or to access log entries numbered 1000 to 1100: https://ct.googleapis.com/rocketeer/ct/v1/get-entries?start=1000&end=1100

RFC 6962 describes all the paths and parameters used for CT operations, or you can use a library like https://github.com/google/certificate-transparency.

Community
  • 1
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
9

Is this what you're looking for?

Google Transparency Report

It gives you the ability to search the CT logs for all certs issued to a particular domain.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    Maybe? Ideally I'd like to be able to be able to interact with it programmatically with an API than manually via a web form. How is that search different from the "known logs" websites? – user124384 Aug 13 '17 at 00:39
  • It's starting to look like the github repo I linked to has what I need since it contains "A collection of client tools and libraries for interacting with a CT Log." It appears to be accessing one of the known logs (pilot), so I'm in the middle of installing its extensive dependencies, but I don't understand how it can work if the link to the log 404s. – user124384 Aug 13 '17 at 00:41
  • Your question says _"Every single one of the links listed there 404s"_. The link I provided is for the same information, but doesn't 404. I don't think your question makes it clear that you're looking for an API. Sorry. – Mike Ounsworth Aug 13 '17 at 01:02
  • You're right, I didn't. Sorry. I was focused on my confusion about just why none of the links were working. – user124384 Aug 13 '17 at 06:48
4

If you do interested in programmatic accessing CT logs then one possible way forward could be the lib I made CTjs. There you could find an an example how to use it - it is example using all possible APIs and features of CT log. Also there is RFC6962 example on a real data from all known CT logs.

Yury Strozhevsky
  • 51
  • 5
  • Welcome to Information Security Stack Exchange! I'm not sure if this answers the question - OP is asking for the endpoints, not for software to address it. Also, since this is your own product, please disclose that information in your answers. – S.L. Barth Jun 20 '18 at 12:26
  • 2
    As "topic starter" said "Ideally I'd like to be able to be able to interact with it programmatically with an API than manually via a web form" - check comment from "user124384" Aug 13 '17 at 0:39. So, I do think it could be useful. – Yury Strozhevsky Jun 20 '18 at 12:39