Recently, we saw a lot of news about the certificates transparency. For example, the Google will make it mandatory in October 2017, and Mozilla has announced that they will support it. What is the general certificates transparency? Let’s start with the basics.
SSL-certificates allow to maintain the safety of visitors. They offer encryption and server authentication, which plays an important role in the protection of communications with servers that host your sites. SSL-certificates indicate to the user that they are interacting with a legitimate server that hosts the site, and not to an impostor.
However, the SSL ecosystem is incredibly complex, and, as part of the industry, companies need to ensure strict adherence to established practices that all things work properly. In the past, there have been deviations from these practices that jeopardize the SSL-industry as a whole.
The problem was that SSL has a complex threat model – description of attacks faced by the system. Numerous mechanisms required to guarantee the protection of SSL ecosystem. Certificate Transparency – one of these mechanisms. It’s trying to solve a particular threat – the wrong certificate issuance.
Incorrect issue occurs when the CA issues SSL-certificate improperly. This means that the CA includes incorrect information in the certificate issued to anyone who is not a company, organization or domain, or even when they was compromise.
Certificates Transparency – a mechanism that allows domain owners and industry observers to monitor the issue of incorrect certificates. It’s publicly accessible log of certificates that have been issued. The log lists all the information about the certificate, and anyone can study it. In practice, there are a lot of logs, which are necessary in connection with the SSL ecosystem scale. Millions certificates are issued each year. Each log has to follow certain standards, who and how to store certificates.
Organizations and users can then search for logs (or set automatic notifications) to see that there are SSL-certificates for sites they own. This means that transparency certificates is not “automatic” in the usual sense. Even if all SSL-certificates will be immediately entered in the log after the release, the domain owner must still look for certificates in the logs to track improperly issued certificates.
Search for logs
When I’m talking about the search for logs, I do not mean that you need to study them line by line. There are services to simplify the process for companies. For example, there are sites like crt.sh, supporting advanced search criteria that allow you to find what you need. Other services allow you to configure notifications, and you will be immediately notified that there was a new potential match. Most of these tools are looking at all available logs CT.
It is important to understand that the certificates transparency allows only detect incorrect certificates issued after the finding of the accomplished fact. CT cannot prevent the wrong issue. Also it can not operate autonomously. Domain owner should consider the information in the logs to see if there were any incorrectly issued the certificates in it.
Often difficult to know whether the wrong issue occurred because there is disorganized verification system. For example, a major University, delegating subdomains to different departments or projects, is unlikely to clarify whether they comply in this case, the best practices of the industry.
Even before the existence of CT for domain owners are ways to determine whether improper issuance of certificates. However, in this case, must be clear evidence of abuse or other features, which takes a few weeks. A striking example is the case of the CA DigiNotar. Invalid certificates have been found only in a month. This means that there was a whole month for the users to be able to visit the phishing site, were tracked, or otherwise attacked with wrongly issued certificates. Astute companies like Google and the FB, using CT to minimize detection time to a few hours.
However, I stress – it is necessary to monitor the logs themselves.
How to send certificates in the log?
SSL-certificates are typically added to the log in two ways. When a certificate is issued, releasing CA can make it in the log. This is the best method, as in this case, the certificate is registered by the source. In other situations, the CA requires entry in the log – Google requires that all EV SSL Certificate have been send to the log to display a green address bar in the browser. As mentioned earlier, in October 2017 Google will require that all certificates fall into the log. However, until that logging it is optional for the majority of the issued certificates. Several CAs bring in logs all the certificates they issue – Symantec, StartSSL, and Let’s Encrypt – remaining CAs make a certificate in the log only when necessary.
Another basic source of the certificate comes from the “crawlers”. When the Google search engine indexes the page, it also contributes to the log SSL-certificates that it finds. Typically, Google registered certificates within a few days, but Google cannot automatically see each certificate. If the certificate is not used on a public network, or used on a subdomain, which is not indexed, in this case, these certificates are still unknown and are not entered into the logs.
How CT can bring the security
One of the drawbacks of the system CA – possibility that wrong CA makes negative impact on the entire ecosystem. CA can issue a certificate to any existing website (this is a generalization, but often it is true), so that even a company with a tough policy on the issuance of certificates may adversely affect the entire system. This was the case with DigitNotar. In 2011, this center has been compromised by attackers and the attackers were able to issue certificates for any domain without proper authorization. Attacker can issue certificates for various Google services. As a company, Google has strict security practices. But it is not possible to protect against hacking DigiNotar.
You can see that even a single large case with incorrect certificates may respond with catastrophic consequences for the entire industry. Certificates Transparency helps to cope with this problem. Therefore, Google and Mozilla are trying to promote initiatives for mandatory inclusion in the CT certificates from all CAs.