The movement toward Certificate Transparency (CT) has brought about a healthy improvement, not only in the way organizations monitor and audit TLS certs, but also in cutting down the number of malicious or mistakenly issued certificates. CT, a framework developed by Google, works because Certificate Authorities are required to submit certificates to publicly accessible logs; as of next October, non-compliant sites will no longer be trusted by Chrome.
For smaller organizations in particular, the cost is high to build out an infrastructure and search tool that interacts with all public CT logs. Facebook, however, may have filled that gap today with the release of a previously internal tool called the Certificate Transparency Monitoring Developer Tool.
The tool checks major public CT logs at regular intervals for new certificates issued on domains singled out by the user.
“We’ve been monitoring Certificate Transparency logs internally since last year, and found it very useful,” Facebook security engineer David Huang said. “It allowed us to discover unexpected certs that were issued for our domain that we previously were unaware of. We realized it might be useful for other developers and made this free for everyone.”
The tool allows users to search CT logs for a particular domain and return certs that have been issued for the domain and its subdomains. Users can also subscribe to a domain feed and receive email notifications when new certs are issued.
Facebook said the search interface is easy to use, and its infrastructure can process large amounts of data quickly, providing a reliable return for any domain. Facebook has been promoting the use of CT logs to detect unexpected certificates; not all of these occurrences are malicious.
“It’s not always necessarily a vulnerability or attack, but it may be a case where a site as large as Facebook with lots of domains—some run by ourselves or by external hosting vendors—where we many not have a full picture of how our certs are deployed on domains,” Huang said. “This tool provides easy information for us. This is probably very interesting for individual sites or smaller sites that probably are not actively monitoring certificates for their domains.”
The framework is set up to monitor, in a standard way, all publicly trusted TLS certificates issued on the internet. It consists of logs, or records of TLS certs submitted by CAs or site owners; an auditing services that ensures submitted certs are included in the CT logs; and a monitoring service that queries CT logs for new cert data. Facebook said since it adopted Certificate Transparency, it has observed more than 50 million certificates. That data is collected and verified against a ruleset, and any variations triggers a notification. Huang said that Facebook’s tool is among the few free services that include a notification and subscriber option.
“There are dozens of CT logs, and we periodically fetch them (hourly, or even every 15 minutes) and keep synching across CT logs,” Huang said. “Once we fetch those certificates and process them through our pipeline, we generate alerts if we detect anything unexpected.”
Google recently said it was making Certificate Transparency mandatory, an set an October 2017 deadline that was announced at the CA/Browser Forum in mid-October. Sites that are not compliant will not display the green banner signifying a site is secure.
“The level of transparency CT logs have provided is moving us in a very good direction,” Huang said. “In the future, all publicly published certificates will be required to be logged to CT Logs. By that time, our monitoring tool will be able to have full coverage of any type of public certs.”
