Facebook Releases Free Monitoring Tool in move towards Certificate Transparency (CT)
The movement toward Certificate Transparency (CT) has brought about a healthy improvement, not only in the way organizations monitor and audit TLS certs, but also in cutting down the number of malicious or mistakenly issued certificates.
CT, a framework developed by Google, works because Certificate Authorities are required to submit certificates to publicly accessible logs; as of next October, non-compliant sites will no longer be trusted by Chrome. For smaller organizations in particular, the cost is high to build out an infrastructure and search tool that interacts with all public CT logs. Facebook, however, may have filled that gap today with the release of a previously internal tool called the Certificate Transparency Monitoring Developer Tool.
The tool checks major public CT logs at regular intervals for new certificates issued on domains singled out by the user.
“We’ve been monitoring Certificate Transparency logs internally since last year, and found it very useful,” Facebook security engineer David Huang said.
“It allowed us to discover unexpected certs that were issued for our domain that we previously were unaware of. We realized it might be useful for other developers and made this free for everyone.”
The tool allows users to search CT logs for a particular domain and return certs that have been issued for the domain and its subdomains. Users can also subscribe to a domain feed and receive email notifications when new certs are issued. Facebook said the search interface is easy to use, and its infrastructure can process large amounts of data quickly, providing a reliable return for any domain. Facebook has been promoting the use of CT logs to detect unexpected certificates; not all of these occurrences are malicious.
“It’s not always necessarily a vulnerability or attack, but it may be a case where a site as large as Facebook with lots of domains—some run by ourselves or by external hosting vendors—where we many not have a full picture of how our certs are deployed on domains,” Huang said. “This tool provides easy information for us. This is probably very interesting for individual sites or smaller sites that probably are not actively monitoring certificates for their domains.”