Yes, security researchers like myself are constantly looking in CT logs for suspicious certificates, and I've found many, most notably Symantec issuing certs for example.com (https://groups.google.com/g/mozilla.dev.security.policy/c/fy...) and Certinomis issuing for test.com (https://bugzilla.mozilla.org/show_bug.cgi?id=1496088). Both CAs were eventually distrusted. (But Certinomis will be back once eIDAS is adopted!)
Domain owners can use Certificate Transparency Monitors to learn about suspicious certificates for their own domains. Here are some monitors:
https://crt.sh/ - allows you to search for certificates for a domain
https://github.com/SSLMate/certspotter/ - open source tool which notifies you when a certificate is issued for one of your domains
https://sslmate.com/certspotter/ - commercial service that does the same, operated by my company
> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
In 2017, Chrome and Firefox distrusted Symantec, which was at the time the world's largest certificate authority: https://security.googleblog.com/2017/09/chromes-plan-to-dist...
Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.
I've written my own Certificate Transparency monitor called Cert Spotter. I use both the standalone open source version (https://github.com/SSLMate/certspotter) and the hosted service (https://sslmate.com/certspotter) to monitor my own domains as well as several test/example domains (example.com, test.com, etc.).
Some things I've learned while working with them:
* CertSpotter [2] is a fantastic CT client written in Go that supports pattern matching. I've been running it locally with `.` match pattern and so far have a 4 gig file of unique domain names. I'm excited to see the end result once it catches up to current time.
* https://crt.sh/ is a great website to search CT logs and supports wildcards. It's currently the workhorse behind my hosts project, but I hope to remove them as a dependency once my own domain list is caught up to present day
* It looks like OP's tool is just a thin client for entrust API [3] and is not actually downloading logs directly - which isn't clear in the article. It made more since once I figured that out because these logs are huge and go back years.
[1] https://github.com/lightswitch05/hosts