Menu
Facebook helps companies detect rogue SSL certificates for domains

Facebook helps companies detect rogue SSL certificates for domains

The company developed a tool that monitors Certificate Transparency logs and alerts domain owners of new certificates

Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.

The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.

Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best, researchers could scan the entire web and collect those certificates being used on public servers. This made it very hard to discover cases where CAs issued certificates for domain names without the approval of those domains' owners.

There have been many cases of certificates being incorrectly issued in the past because of technical or human error or because a CA's infrastructure was compromised by hackers who then abused it to issue certificates for high-profile domains. Such certificates are valid and can be used in man-in-the-middle attacks to intercept traffic to HTTPS-protected websites.

Not all of the world's CAs have adopted CT yet, but they will be forced to do so eventually. For example, Google plans to make CT compliance mandatory in the Chrome browser for all certificates issued after Oct. 1, 2017. This means that any certificate issued but not published to a CT log will not be trusted in Chrome.

Facebook initially built its CT monitoring service for internal use, and the service has helped the company's security team discover at least two certificates issued for fb.com subdomains without its knowledge. The investigation revealed that the certificates were issued by a CA at the request of another team within Facebook that failed to notify the security team.

Like many other large organizations, Facebook uses various websites for marketing and special events that are outsourced to third-parties, the company said in an April blog post describing the incident. "Certificate Transparency monitoring allows us to track these sites even if we delegate direct management to another party."

With the service able to detect a mis-issued certificate within one hour, Facebook decided to build a public tool on top of it to help other companies track certificates for their domains in a similar manner.

The tool allows users to find certificates that already exist for a domain name, as well as subscribe to receive email alerts when new certificates appear in CT logs for the domain.

"If you ever receive a notification that a CA issued a certificate that you didn't request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate," Bartosz Niemczura, a software engineer on Facebook's Product Security team, said in a blog post.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments