Facebook is aiming to make it easier for organizations to understand and monitor the status of SSL/TLS certificates that have been issued. On Dec. 14, the company announced a series of new tools for developers to gain insight into Certificate Transparency logs and certificate issuance.
The new tools, which include Webhooks and a Graph API, build on the Certificate Transparency Monitoring tool effort that Facebook revealed in December 2016. Certificate Transparency (CT) is a technology initiative started by Google in which notification of newly issued Secure Sockets Layer/Transport Layer Security certificates are published to a CT log.
The goal of CT logs is to prevent mis-issuance of SSL/TLS certificates by helping developers identify when a certificate for their organization has been issued.
Looking at CT logs can be a challenging process, given the high volume of certificates that are issued. Facebook’s new Webhook API tool Facebook has been designed to help developers find the relevant information they need from CT logs.
“The advantage of using Webhook API is that the Webhooks feature allows apps to receive real-time notifications of changes to selected pieces of data,” Bartosz Niemczura, software engineer with Facebook’s Product Security team, told eWEEK.
To monitor a CT Log, a developer would need to implement a service that would periodically fetch all certificates from it, according to Niemczura. He added that running that kind of service may require resources that developers don’t necessarily want to invest in. In addition, the vast majority of the fetched certificates would not be relevant to developers as they are typically only interested in the certificates for the domains they own.
Another challenge for developers looking to directly monitor CT logs is finding where all the logs are. Niemczura noted that the list of public CT logs changes over time, and as such developers would need to make sure that their monitors are properly updated and maintained.
“By using the Webhook API, a developer can simply receive a request whenever Facebook detects new certificates for their domains—all of the challenges mentioned earlier are being taken care of on Facebook’s side,” he said.
Facebook is also releasing Graph API, which will enable developers to get more CT log domain information. Niemczura said Graph API provides a way of querying all certificates issued for a given domain.
Expect-CT
Going a step beyond providing tools for developers, Facebook is now working on implementing the Expect-CT HTTP web browser header for Facebook. The goal of Expect-CT is to help grow adoption of CT logs by providing a mechanism for websites to only accept connections from domains that are listed in a CT log.
“When someone submits a valid certificate to a CT log, the log responds with a signed certificate timestamp [SCT], which is simply a promise to add the certificate to the log within some time period,” Niemczura explained. “The Expect-CT header allows web host operators to instruct user agents, typically browsers, to expect valid SCTs to be served on connections to these hosts.”
What that means in practice is that the certificate used to secure a connection between the host and the user agent has to be logged in a public CT log. If it’s not, the user agent can reject the connection or trigger a warning, Niemczura said.
“The Certificate Transparency framework requires that every time a CA [Certificate Authority] issues a new certificate, it has to be logged to append-only, public CT logs operated by many independent entities,” he said. “This level of transparency ensures that CAs cannot issue malicious certificates that would be unseen.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.