Facebook recently released a tool that is aimed at the detection of TLS / SSL fake certificates issued without the knowledge of the respective domain owners. The tool works with the data obtained from numerous publicly available transparency logs. Transparency logs – the current standard, which allows CAs organize issued certificates and make them available to the public.
Earlier monitor fake certificates for domains were more complex
A couple of years ago there was no way of tracking the certificates issued by the certification authority. The researchers could only collect data across the network independently, studying public servers. Identify cases of issuance of fake certificates for domain names were difficult, almost impossible.
Earlier there were cases when the certificates were issued incorrectly due to human error or technical error. Hackers can hack the infrastructure of certification center to issue certificates for known domains. These certificates are valid and they were used in the attacks to intercept traffic to HTTPS sites.
Adaptation of transparency logs
Not all certification authorities have adapted the transparency logs, but in the end they still have to do it. Google want to make the addition of a log of transparency required for all the certificates in Chrome that were issued after October 1, 2017. If the certificate has not been added to the transparency logs, it will not be trusted in Chrome.
Facebook created a service to monitor the transparency logs initially for internal use. Designed service allowed the company to disclose the two certificates issued for sub-domains fb.com without the knowledge of the company. The investigation showed that the certificates were issued at the request of the other team within Facebook – just this department has not notified the Facebook security team.
Facebook uses different sites for marketing and special events. Managing these sites transferred to a third party. Certificates Transparency allows you to monitor these sites.
Service allowing you to identify incorrectly issued the certificates in one hour, was opened for public access. Companies can look of third-party certificates for their domains have been released. The tool allows you to not only search certificates, but sign up for e-mail notifications to be sent in the event of a detection certificate in the logs.
As soon as the post will be notified of the release of the certificate for the domain, the domain owner can contact the certification authority to verify your identity, and ask to cancel the issued certificate, since extradition was unlawful.
Once will receive an email about the issue of a certificate for the domain, the domain owner can contact the certification authority to verify your identity, and ask to cancel the issued certificate, since issuing was unlawful.