Real-time Certificate Transparency log explorer. Watch newly issued TLS certificates appear as they're published to public CT logs.
CertTrack monitors Certificate Transparency logs in real-time, showing you newly issued TLS certificates as they appear. You can watch the stream of certificates, filter by domain, and explore the details of each certificate.
My company Freestyle (YC S24) provisions a lot of certificates for our customers. We noticed a shocking amount of malicious traffic going to our customers' preview domains—hundreds of malicious requests per second—which was confusing because these domains aren't routed via DNS.
After investigation, we discovered that attackers were using CT logs to discover domains, then sending traffic directly to our IPs with the Host header set to those domains. This project is my exploration into how CT logs work, why they exist, and how to understand them to protect customers.
Certificate Transparency (CT) is a standard which requires certificate authorities to publish all TLS certificates they issue to publicly auditable, append-only logs. This serves as an audit log for security researchers and as a verification step for browsers to ensure certificates are believed to be valid by their issuer.
Based on our analytics, the vast majority of malicious requests are:
- Scanning for uninitialized sites: Looking for PHP and WordPress websites with admin paths, unauthenticated setup routes, and other tells of uninitialized websites. Attackers aim to sign into the admin before the legitimate user can.
- Hunting for sensitive files: Requesting
/.env,/api/config.json,/.git/config, and other configuration files that could leak credentials or sensitive information.
There's no perfect way to prevent this, but acting with awareness helps:
- Use wildcard certificates whenever possible—individual subdomains won't be exposed
- Don't launch with detectable uninitialized states—avoid default install pages, exposed setup routes, etc.
- Be aware that once a certificate is issued, the domain is public—even before it has any traffic
- Built on RFC 6962 Certificate Transparency
- Uses Google Chrome's public CT log list
- RFC 6962 is being replaced by a newer standard called Static Certificate Transparency
- Next.js 16
- React 19
- TypeScript
- Tailwind CSS 4
- Radix UI
- @peculiar/x509 for certificate parsing
# Clone the repository
git clone https://github.com/theswerd/certtrack.git
cd certtrack
# Install dependencies
bun install
# Start the development server
bun devOpen http://localhost:3000 to view it in your browser.
Built by Ben Swerdlow