maintains publicly accessible logs listing TLS/SSL certificates, giving IT teams a way to track all the certificates associated with their domains. Until recently, searching CT logs has been difficult and costly, but Facebook’s new tool makes it easier for IT teams to find certificates they didn’t know about.
The previously internal-only lets anyone search major public CT logs for all certificates issued against a particular domain. Site owners can sift through the search results to identify certificates that were unknown (but are still legitimate) and flag those that were fraudulently or mistakenly issued so that they can be revoked.
Facebook has been using the tool to monitor Certificate Transparency logs for its domains and subdomains over the past year “and found it very useful,” said Facebook security engineer David Huang. “We are releasing it so that developers and site owners can now manage Certificate Transparency logs for their domains.”
, the CT framework outlines how certificate authorities and site owners submit records of TLS certificates to public logs, audit the logs to ensure the certificates are properly added, and monitor the logs to look for new entries. CT addresses several certificate-related threats, including mis-issued certificates, stolen certificates, and rogue certificate authorities because organizations will be able to detect problematic TLS records in the logs. is another approach on how enterprises can identify misused certificates listed in Certificate Transparency data.
logs by October 2017 or risk having the Chrome web browser block access to those sites. The tool will return more comprehensive results as CT usage becomes more widespread, Huang said.
An unexpected certificate in the CT logs doesn’t automatically imply an attack or a mistake. Facebook found a handful of certificates the security teams hadn’t known about which turned out to be legitimate. IT teams at organizations who regularly work with external partners such as hosting providers and software-as-a-service companies may wind up discovering certificates managed by these external partners.
“An unexpected result is not necessarily malicious,” Huang said. IT can use this tool as an internal audit tool to track down all the certificates issued to the organization and maintain the most current list.
Facebook plans to look at user feedback to add new features, Huang said, adding that the tool was “just the first step in helping people use Certificate Transparency data.”