SSL Certificate

Facebook Helps Companies Detect Rogue SSL certificates For Domains

December 16, 2016 | By Comodo SSL

Facebook has released a new tool for domain name owners to find out if any TLS/SSL certificates have been issued without them requesting for it.

Facebook had initially built this tool for its own use to monitor if any SSL certificates were being issued for its domains or subdomains without its express knowledge. This tool, which is a Certificate Transparency (CT) monitoring service, helped it find out that a couple of SSL certificates had been issued to subdomains of fb.com without it raising any request with any CA. Investigation of this issue however revealed that a Facebook team had indeed raised such a request, but had somehow missed to inform the security team (the CT monitoring service) monitoring SSL certificates for Facebook domains. Observing the benefits, Facebook has offered the tool to help users make good use of the Certificate Transparency data initiative.

Certificate Transparency (CT) is a framework developed by Google. It is defined as “an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.” These CT logs are “network services that implement the protocol operations for submissions and queries that are defined in this document.”

Google has mandated that Certificate Authorities must submit certificates to these logs that are publicly accessible. October 2017 has been fixed as the deadline after which the Chrome browser would stop trusting unsubmitted certificates. Other browsers will follow suit.

The Facebook tool features an easy to use interface. It can be used to search for CT logs for a specific domain, and it delivers the certs that have been issued by CAs for the website domain as well as its subdomains. Further, it also offers a facility to subscribe to a feed service (for a specific domain) that sends email notifications whenever new certs have been issued for that particular domain or subdomains. The domain owner will be alerted and if in case the SSL cert had been issued without its knowledge then it could contact the issuing CA to get the SSL cert revoked.

This initiative and tool would be another step to prevent malicious entities from acquiring SSL certs for sub domains of authentic websites. Cyber criminals having control of such subdomains with SSL could use it for various types of criminal activity – such as for stealing login credentials, payment card data, etc.., as users would believe the website/ subdomain to be genuine based on the SSL certificate from an authentic authority.

In support of the CT initiative, Comodo, the world’s leading Certificate Authority and developer of cyber security solutions, had in 2015 launched a free to use certificate transparency website https://crt.sh/ to help domain owners and other entities keep track of digital certificates for their web properties.

ssl certificate

Posted in SSL Certificate

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory