reconnaissance

SecurityTrails Blog · Feb 05 · SecurityTrails team

Analyzing SSL Certificates with SurfaceBrowser

SSL certificates have been in use for decades, but in recent years we’ve seen a tremendous boost in SSL orders from all the major providers. Nowadays, SSL certificates play a critical role in the cybersecurity industry.

Securing a web page or web application doesn’t end in using the best code-security oriented practices or hardening your server stack. It also means encrypting client and server communications, and there is only one way to do that: by using an SSL certificate.

With the rise of SSL certificates thanks to projects like Let’s Encrypt, Comodo free SSLs and modern web browsers marking pages as insecure if they don’t use one, there is an additional layer of control available to keep watch at all times.

We’ve written about the importance of SSL certificates and transparency logs, and about serious cybersecurity issues with stale DNS records and free SSL certificates, so today we’ll explore one of the best ways to analyze and keep your SSL certificates under control.

How can I analyze my SSL certificates?

SurfaceBrowser is our premier enterprise-security product, as it lets you analyze all the most popular cybersecurity aspects of any given domain name or brand in the world.

With this tool, you can check domain name WHOIS history, DNS record history, analyze IP blocks, associated domains and subdomains. But you can also start checking SSL certificates’ critical information.

As an example, let’s take fbi.gov, one of the most famous federal agencies in the United States, and explore their SSL certificate data.

FBI SSL certificate data search

The SSL Certificates area offers a summary of all SSL information obtained from this company or organization.

SSL Summary by Company

If you choose to explore ‘by Company’, you’ll find the different company names utilized when registering the SSL certificates, such as:

  • fbi (53)
  • federal bureau of investigation (25)
  • department of justice (4)
  • ndcac (3)
  • cloudflare, inc. (2)
  • *.cte.fbi.gov (1)
  • *.fbi.gov (1)

From this quick look, we know the FBI uses different company names in their SSL certificates. We can even presume they’re actively using Cloudflare on many of their subdomains.

FBI SSL certificates

Browse SSL by Creation Year

If you want to browse SSL certificates by creation year, it’s really easy from the web interface. Simply choose the year you want to explore and the results will appear right in front of your eyes.

The FBI follows the same SSL massive adoption phenomenon as the rest of the internet, increasing their SSL certificate setups since 2016, and showing 2018 as the year they deployed their maximum number:

  • 2015 (6)
  • 2016 (19)
  • 2017 (9)
  • 2018 (78)

FBI SSL certificate history

Summary by Expiration Year

There’s nothing worse than opening your notebook first thing in the morning, browsing your company website and discovering that it’s running with an expired SSL.

Whether the renewal email has fallen into the spam folder, or you’ve accidentally deleted it by confusing it with other social and media marketing emails, or you’ve purchased an SSL from a company that doesn’t even send SSL renewal notices, knowing the exact date of your SSL expiration can save you a lot of headaches.

This is a pretty common issue when you run free SSL certificates from providers like Let’s Encrypt, which is prone to different kinds of problems and fails often.

Expired SSL certificates

Summary by Validity

Summarizing SSL certificates by validity enables you to explore both current valid active SSL certificates as well as expired ones.

Exploring active SSL certificates is one of the best ways to get intel reconnaissance about your target, their domain names, and subdomains. Sometimes you can even discover private intranet areas that are mistakenly exposed to the Internet.

The same goes for old subdomains that are no longer running with an active SSL certificate; sometimes you can find a lot of active subdomains with expired certificates, which are obviously not working as expected.

One of the clearest examples is made by the famous Let’s Encrypt SSL-based certificates, which are free, but valid only for 90 days.

The big surprise is that a well-respected federal security agency like the FBI has actually performed tests with these types of certificates, as seen in the subdomain:

crime-data.fbi.gov, that was issued on 2016-12-19 and expired on 2017-03-19. Nowadays it seems they are no longer using Let’s Encrypt and switched to paid certificates from other companies such as COMODO, Entrust, Inc, DigiCert Inc or GoDaddy.com, Inc.

FBI expired certificates

On the other hand, it’s a little bit ironic to learn that even Let’s Encrypt, who aims for free SSL certificates for everyone, is using a few commercial Amazon SSL certificates for some of their web areas. There is some chance that they might be using Amazon load balancers or another AWS service where these SSLs are auto-issued.

Conclusion

SurfaceBrowser strives to be one of the most complete intel-gathering tools available, ready to keep all your domain, IPs, DNS records and SSL certificates under control at all times.


If you’re a security research firm or private infosec researcher, you can also take advantage of this fabulous tool to boost your daily tasks.

Schedule a demo with us today and start using the powerful SurfaceBrowser. If you have any questions, don’t hesitate to contact us. We’re always here to help!