Facebook Extends Certificate Transparency Security Tools | eWeek

Facebook Releases New Certificate Transparency Security Tools

Facebook
Dec 14, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Facebook is aiming to make it easier for organizations to understand and monitor the status of SSL/TLS certificates that have been issued. On Dec. 14, the company announced a series of new tools for developers to gain insight into Certificate Transparency logs and certificate issuance.

The new tools, which include Webhooks and a Graph API, build on the Certificate Transparency Monitoring tool effort that Facebook revealed in December 2016. Certificate Transparency (CT) is a technology initiative started by Google in which notification of newly issued Secure Sockets Layer/Transport Layer Security certificates are published to a CT log.

The goal of CT logs is to prevent mis-issuance of SSL/TLS certificates by helping developers identify when a certificate for their organization has been issued.


Looking at CT logs can be a challenging process, given the high volume of certificates that are issued. Facebook’s new Webhook API tool Facebook has been designed to help developers find the relevant information they need from CT logs.

The advantage of using Webhook API is that the Webhooks feature allows apps to receive real-time notifications of changes to selected pieces of data,” Bartosz Niemczura, software engineer with Facebook’s Product Security team, told eWEEK.

To monitor a CT Log, a developer would need to implement a service that would periodically fetch all certificates from it, according to Niemczura. He added that running that kind of service may require resources that developers don’t necessarily want to invest in. In addition, the vast majority of the fetched certificates would not be relevant to developers as they are typically only interested in the certificates for the domains they own.

Another challenge for developers looking to directly monitor CT logs is finding where all the logs are. Niemczura noted that the list of public CT logs changes over time, and as such developers would need to make sure that their monitors are properly updated and maintained. 

“By using the Webhook API, a developer can simply receive a request whenever Facebook detects new certificates for their domains—all of the challenges mentioned earlier are being taken care of on Facebook’s side,” he said.

Facebook is also releasing Graph API, which will enable developers to get more CT log domain information. Niemczura said Graph API provides a way of querying all certificates issued for a given domain.

Expect-CT

Going a step beyond providing tools for developers, Facebook is now working on implementing the Expect-CT HTTP web browser header for Facebook. The goal of Expect-CT is to help grow adoption of CT logs by providing a mechanism for websites to only accept connections from domains that are listed in a CT log. 

“When someone submits a valid certificate to a CT log, the log responds with a signed certificate timestamp [SCT], which is simply a promise to add the certificate to the log within some time period,” Niemczura explained. “The Expect-CT header allows web host operators to instruct user agents, typically browsers, to expect valid SCTs to be served on connections to these hosts.”

What that means in practice is that the certificate used to secure a connection between the host and the user agent has to be logged in a public CT log. If it’s not, the user agent can reject the connection or trigger a warning, Niemczura said.

“The Certificate Transparency framework requires that every time a CA [Certificate Authority] issues a new certificate, it has to be logged to append-only, public CT logs operated by many independent entities,” he said. “This level of transparency ensures that CAs cannot issue malicious certificates that would be unseen.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.