Web Scanner allows users to target the SSL data of a webpage in a number of ways, allowing security teams to scan for similair websites.
Here's an explanation of some useful data types. Click here for a full list of field names.
SSL Certificate Hash Value (CHV)
Field name
ssl.CHV
Explanation
CHV hashes serve as both a prefilter and a mechanism for identifying unique SSL certificates. If malicious servers use self-signed certificates with unusual SSL extension keys, a CHV hash would readily identify them.
The ssl.CHV (Certificate Hash Value) resembles the HHV (Header Hash Value) in that it is based on the keys, not values, within the SSL certificate.
CHVs are separated into three sections, each divided by a colon.
"487049c6c39ee487049c6c39ee7646766df07c6:w:0005"
-
The first part of the ssl.CHV consists of hashes that deonate the keys of the issuer, subject, and SSL extensions. It's common to see the same values in the first two sections, indicating that the keys for subject and issuer are identical.
-
The second part of the CHV can be either a "w" or an "x," indicating whether the certificate is a wildcard or not.
-
The count at the end of the CHV ("0005" in the above example) indicates the number of domains listed in the Subject Alternative Names (SANS) field of the certificate. This field name is also available in SPQL and Web Scanner as
ssl.sans