ZeroTrace OSINT
TLS Inspector
Full certificate chain, cipher suites, TLS versions, OCSP, CRL, JA3S/JA4S fingerprints, and sibling-hostname lookup.
The TLS inspector connects to a host on port 443 (or any TLS-enabled port) and reads the entire TLS handshake and certificate chain. It then enriches the result with sibling-hostname lookups from certificate transparency, OCSP / CRL endpoint inspection, and a security grade based on the negotiated parameters.
What you get
| Section | What it surfaces |
|---|---|
| Negotiated parameters | TLS version, cipher suite, key exchange, MAC, named curve |
| Cipher security breakdown | Per-cipher score with forward-secrecy, AEAD, quantum-vulnerability flags |
| Certificate chain | Every cert from leaf to root with subject, issuer, SAN list, key algorithm and size, validity dates, fingerprints |
| Leaf certificate flags | Self-signed, expired, expiring soon, weak key, weak signature algorithm |
| OCSP stapling | Whether the server staples an OCSP response, plus the OCSP responder URL |
| CRL distribution points | URLs for certificate revocation lists |
| HSTS / Expect-CT headers | Read from a sibling HTTPS GET against the same host |
| JA3S / JA4S server fingerprint | Cryptographic fingerprint of the server's TLS handshake response |
| Sibling hostnames | Other hostnames found on certificates issued for the same leaf — auto-pulled from CT |
| Security grade | Composite A+ / A / B / C / D / F based on TLS version, cipher, cert validity, OCSP, HSTS |
TLS version + cipher
The negotiated parameters tell you the minimum a client could negotiate with this server. The breakdown shows:
- TLS version — 1.3 (modern), 1.2 (acceptable), 1.1 / 1.0 (deprecated), SSL 3 (broken).
- Cipher suite — full string, plus per-component flags.
- Forward secrecy — does the cipher provide it? (
ECDHE/DHE= yes,RSAkey exchange = no.) - Authenticated encryption — does the cipher provide AEAD? (
GCM,CHACHA20-POLY1305= yes,CBC= no.) - Quantum-vulnerable — does the cipher rely on key exchange that quantum computers can break? (Pre-PQC anything = yes.)
Certificate chain
Each certificate in the chain shows on its own card:
- Subject, issuer, validity period (with the freshness chip for expiry urgency).
- Subject Alternative Names (the full SAN list).
- Public key algorithm + size (RSA-2048, EC P-256, etc.).
- Signature algorithm (SHA256-RSA, ECDSA-SHA384, etc.).
- Fingerprints (SHA1, SHA256).
Chain validity (does the chain build to a trusted root) is checked. If a cert in the chain is missing or expired, the tool flags it.
OCSP and CRL
For each certificate, the tool extracts:
- OCSP responder URL — and pings it to confirm the cert is not revoked.
- CRL distribution points — listed (the CRLs themselves are large; the tool lists the URLs without fetching).
- OCSP stapling — whether the server includes a stapled OCSP response in the handshake (faster, more private than a separate OCSP query).
JA3S / JA4S fingerprints
JA3S and JA4S are cryptographic hashes of the server's TLS handshake response. They are useful for:
- Identifying common TLS stacks. A given JA3S maps to "Cloudflare's TLS termination," "Apache 2.4 with default config," "nginx 1.21 default," etc.
- Spotting infrastructure clusters. Two completely different domains with the same JA3S share their TLS termination — same operator, very probably.
- Detecting impersonation. A site that claims to be Bank X but has Bank Y's JA3S was set up by someone copying configurations rather than running the genuine stack.
JA3S / JA4S is one of the few attribution signals an attacker cannot trivially fake without rebuilding their TLS stack. For phishing-domain investigation, finding multiple suspicious domains with the same JA4S is a strong infrastructure-cluster signal.
Sibling hostnames from CT
The leaf certificate's serial number gets cross-referenced with certificate transparency logs. The tool returns:
- Other hostnames covered by the same certificate. SAN list.
- Other certificates that covered the leaf hostname. Renewal history.
- Other certificates from the same issuer for the same hostname. Reissues.
This is the same cross-pivot you would do manually with crt.sh, automated.
HSTS and Expect-CT
A separate HTTPS GET on the host fetches the security headers. The tool surfaces:
- HSTS
max-ageand whether it includes subdomains. - Whether HSTS is preload-eligible.
- Expect-CT settings (deprecated but still useful as a signal).
Alternate-port probing
A toggle attempts the same TLS inspection on alternate ports (8443, 9443, 10443) commonly used for admin panels behind TLS. Useful for finding "we forgot we still expose this" panels.
Pivots
| Click on... | Pivot to |
|---|---|
| The hostname | Site analysis, DNS, certificate transparency, subdomain discovery, Wayback |
| Sibling hostname | TLS inspector (recursive), site analysis |
| OCSP / CRL URL | URL parser |
| Issuer name | Certificate transparency for "all leafs from this issuer for this domain" |
| Cert fingerprint | (no pivot — copy and search externally) |
Sources
- Direct TLS handshake against the target host.
crt.shfor sibling-hostname cross-reference.- The OCSP responder named in each certificate (when stapling is off).
- A bundled cipher security catalog and key-algorithm catalog.
Every external source is named on the result.