Growth Of HTTPS Public Logs (CT)

As we have a database of all the issued public certificates, we started looking at some of the data. This is a quick note about the frequency of updates of certificate transparency (CT) logs.

We looked at 27 CT logs, which we have been processing and this note covers two aspects:

  • frequency of updates – how long would your new certificate take to appear in CT logs;
  • growth of the logs – how many items are being added to each of the logs to get a feeling for the dynamics of the ecosystem.

The following data has been collected over 6 weeks and the charts use ten measurements collected during that period.

Frequency of Updates of CT Logs

Although CT logs should provide a quick information about new certificates, not all the logs are updated with the same frequency.

As you can see in the table below, the variations are huge – from real-time updates of the Google CT logs called “argon”, to 6 hours update frequency of Symantec logs. closed no new entries closed no new entries closed no new entries
60 mins
60 mins possibly 5 minutes
on either side
of the interval
real time less than 30 seconds
6 hours
60 mins
10 mins
60 mins

Growth of Logs

The next thing I wondered was whether the big CT logs are quicker or the other way round. So let’s start with how each of the CT logs grows.

Change in the CT logs size over 6 weeks’ period

As you can see there are a few logs that grow significantly faster than others. Rocketeer and Pilot are among the biggest CT logs with over 410 million and 360 million entries respectively. Argon2018, Icarus and Nimbus2018 also have over 200 million entries.

The next chart suggests that the relative growth of CT logs has somewhat changed over the 6 week period so while snapshot figures give us a good indication, they don’t tell the whole story.

Growth of all CT logs over the period if 6 weeks
Growth of all CT logs over the period if 6 weeks

So where does it leave us. If you’re worried about attacks and unauthorized certificates and their exploitation for cyber attacks, you may want to find out which CT logs are used by your certificate issuer.

It also suggests that a quick notification system has its value to minimize any additional latency in discovering potential attacks against your internet services.

Why we’re looking into it?

We need a good source of information for real-time notifications for our users. A new version is coming soon and we have built our own lookup table (currently with 6,600,000,000 rows) so we can provide you with the best possible analytics.

Leave a Reply

Your email address will not be published. Required fields are marked *