Menu
Facebook helps companies detect rogue SSL certificates for domains

Facebook helps companies detect rogue SSL certificates for domains

The company developed a tool that monitors Certificate Transparency logs and alerts domain owners of new certificates

Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.

The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.

Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best, researchers could scan the entire web and collect those certificates being used on public servers. This made it very hard to discover cases where CAs issued certificates for domain names without the approval of those domains' owners.

There have been many cases of certificates being incorrectly issued in the past because of technical or human error or because a CA's infrastructure was compromised by hackers who then abused it to issue certificates for high-profile domains. Such certificates are valid and can be used in man-in-the-middle attacks to intercept traffic to HTTPS-protected websites.

Not all of the world's CAs have adopted CT yet, but they will be forced to do so eventually. For example, Google plans to make CT compliance mandatory in the Chrome browser for all certificates issued after Oct. 1, 2017. This means that any certificate issued but not published to a CT log will not be trusted in Chrome.

Facebook initially built its CT monitoring service for internal use, and the service has helped the company's security team discover at least two certificates issued for fb.com subdomains without its knowledge. The investigation revealed that the certificates were issued by a CA at the request of another team within Facebook that failed to notify the security team.

Like many other large organizations, Facebook uses various websites for marketing and special events that are outsourced to third-parties, the company said in an April blog post describing the incident. "Certificate Transparency monitoring allows us to track these sites even if we delegate direct management to another party."

With the service able to detect a mis-issued certificate within one hour, Facebook decided to build a public tool on top of it to help other companies track certificates for their domains in a similar manner.

The tool allows users to find certificates that already exist for a domain name, as well as subscribe to receive email alerts when new certificates appear in CT logs for the domain.

"If you ever receive a notification that a CA issued a certificate that you didn't request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate," Bartosz Niemczura, a software engineer on Facebook's Product Security team, said in a blog post.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments