Knowing when an SSL/TLS certificate has been issued for a given domain is helpful in giving organizations insight into any potentially mis-issued security certificates. On December 13, Facebook announced the launch of its freely-available Certificate Transparency Monitoring tool, providing users with a simple way to search for recently issued certificates and to be alerted when a new certificate is issued for a specific domain.
SSL/TLS (Secure Socket Layer/ Transport Layer Security) is the encryption standard used across the internet to secure websites. A best practice for SSL/TLS is for the security certificates to be issued by a known Certificate Authority (CA) to help guarantee authenticity and integrity. Certificates can potentially be accidentally or maliciously mis-issued, which is a risk that the Certificate Transparency effort aims to help mitigate. Google initiated the Certificate Transparency initiative, which involves Certificate Authorities publishing newly issued certificates to a Certificate Transparency (CT) log.
For organizations, accessing the CT logs to see what has been issued hasn’t always been easy, which is where the new Certificate Transparency Monitoring tool comes into play. Facebook’s tool enables users to search CT logs for certificates as well as provides a mechanism to subscribe to alerts on domains.
Facebook itself has been using CT logs to help identify certificates that are being issued against its domains. Facebook does not, however, operate its own CT log server.
“We monitor other CT logs,” David Huang, Security Engineer at Facebook told eWEEK. “Specifically, we monitor the active logs currently included in Chrome.”
In terms of how new certificate information gets into CT logs in the first place, Huang explained that certificates can be submitted to CT Logs by anyone, including certificate authorities, web crawlers and site owners.
“The CT monitoring tool is able to monitor Domain Validated certificates that are logged to CT logs,” Huang said. “In the future, this will include all publicly trusted certificates.”
Google is set to require that all publicly trusted website security certificates be in CT logs by October 2017, in order for the sites to be trusted by Google’s Chrome web browser.
“The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy Internet,” Ryan Sleevi, staff software engineer at Google, wrote in an October blog announcing the CT policy. “The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs.”
With the new Facebook Certificate Transparency Monitoring tool if a user notices something wrong, for example a mis-issued certificate, there are a few things the user can do.
“We recommend looking into which Certificate Authority issued the certificate and then investigating why it was mis-issued,” Huang said. “After that, the individual can contact the Certificate Authority to get the mis-issued certificate revoked.”
Looking forward, Facebook sees the new Certificate Transparency Monitoring tool as a ‘first step’ and will be looking to improve it.
“We are looking forward to feedback on this tool, and we would like to build new features in the future,” Huang said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist