Minerva Studio - Fotolia

Facebook Certificate Transparency Monitoring tool will help secure web

A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.

Facebook has opened to the public its Certificate Transparency Monitoring tool, allowing anyone -- with a Facebook account -- to search through Facebook's collection of TLS certificates and monitor major Certificate Transparency logs.

The Certificate Transparency Monitoring tool was developed initially for internal use. But with the new service, users can search Facebook's certificate collection, as well as monitor domains to be notified by email when new certificates are submitted to any of the major Certificate Transparency logs that Facebook monitors.

Transport Layer Security, or TLS, certificates are used by web browsers to authenticate content, and Certificate Transparency (CT) monitoring has been shown to cut down on the number of improperly issued certificates -- especially when those certificates have been granted to malicious actors, who use them to disguise malicious websites from potential victims.

"Since last year, we have been monitoring CT logs internally. It has been helpful because, in the past, we have seen unexpected certificates issued for our domains," David Huang, Facebook security engineer, told SearchSecurity by email. "From that experience, we figured that others could likely benefit as well, particularly because not all developers will have the resources to do this on their own and monitor certificates issued for their domains."

In a blog post detailing the new service, Bartosz Niemczura, software engineer on Facebook's product security team, wrote that since first implementing CT internally, it has helped Facebook "detect misissued TLS certificates to stop them from being used to intercept HTTPS traffic."

Niemczura wrote, "Our hope is to enable others to enjoy the benefits of Certificate Transparency, without having to write any code or manage any systems."

Facebook's monitoring tool allows users to search by domain name, to see all certificates logged through CT for the domain, as well as its subdomains. Users may also subscribe to a domain in order to receive an email notification whenever a new certificate is recorded through CT for the domain or its subdomains.

"Facebook's support for Certificate Transparency is a great step forward," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City. "Cryptographic keys and digital certificates provide the foundations of trust and privacy for the global economy, yet we blindly trust them. Facebook's new Certificate Transparency Monitoring is one more sign the world is finally waking up to the problem of certificate abuse."

Google's Certificate Transparency initiative is intended to prevent spoofing of browsers by websites using improperly issued certificates, whether the certificates were misissued as a result of an honest mistake or by a certificate authority (CA) that has "gone rogue." Such improperly issued certificates can be used by malicious actors to make it appear to browsers that a site is authentic when it is not -- and enable attackers to succeed at website spoofing, server impersonation and man-in-the-middle attacks.

In 2011, the Dutch CA DigiNotar was breached and issued hundreds of improper certificates for 20 different domains. Certificate authority Comodo Group Inc. issued nine fraudulent certificates across seven domains after it was breached, also in 2011. In 2016, Google, Apple and Mozilla all dropped WoSign, a certificate authority based in China, from their trusted CA programs for a number of infractions, including improperly issuing SHA-1 certificates after that algorithm had been deprecated.

The Certificate Transparency initiative proved itself last year, when Google discovered Symantec had improperly issued unauthorized Extended Validation certificates for Google domains. Despite Symantec's defense that the improper certificates had been used for testing purposes only, Google has since required Symantec to register all certificates -- not just EV certs -- through Certificate Transparency, as well as third-party audits of Symantec's CA operations.

Certificate Transparency is described in RFC 6962, "Certificate Transparency," published in 2013; the protocol was introduced in the hope that eventually all "clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs."

Huang said Facebook hoped others would be able to detect "misissued certificates for their domains more easily using this tool. We expect enterprises could find value, but it may be particularly valuable for smaller sites because enterprises are more likely to be able to support this type of feature on their own."

Next Steps

Find out more about how Google has been working to enhance web security with Certificate Transparency.

Learn about how certificate pinning can help improve security of certificate authorities.

Read about the breach of the DigiNotar certificate authority, and why it mattered.

Dig Deeper on Web browser security