Menu
Facebook helps companies detect rogue SSL certificates for domains

Facebook helps companies detect rogue SSL certificates for domains

The company developed a tool that monitors Certificate Transparency logs and alerts domain owners of new certificates

Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.

The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.

Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best, researchers could scan the entire web and collect those certificates being used on public servers. This made it very hard to discover cases where CAs issued certificates for domain names without the approval of those domains' owners.

There have been many cases of certificates being incorrectly issued in the past because of technical or human error or because a CA's infrastructure was compromised by hackers who then abused it to issue certificates for high-profile domains. Such certificates are valid and can be used in man-in-the-middle attacks to intercept traffic to HTTPS-protected websites.

Not all of the world's CAs have adopted CT yet, but they will be forced to do so eventually. For example, Google plans to make CT compliance mandatory in the Chrome browser for all certificates issued after Oct. 1, 2017. This means that any certificate issued but not published to a CT log will not be trusted in Chrome.

Facebook initially built its CT monitoring service for internal use, and the service has helped the company's security team discover at least two certificates issued for fb.com subdomains without its knowledge. The investigation revealed that the certificates were issued by a CA at the request of another team within Facebook that failed to notify the security team.

Like many other large organizations, Facebook uses various websites for marketing and special events that are outsourced to third-parties, the company said in an April blog post describing the incident. "Certificate Transparency monitoring allows us to track these sites even if we delegate direct management to another party."

With the service able to detect a mis-issued certificate within one hour, Facebook decided to build a public tool on top of it to help other companies track certificates for their domains in a similar manner.

The tool allows users to find certificates that already exist for a domain name, as well as subscribe to receive email alerts when new certificates appear in CT logs for the domain.

"If you ever receive a notification that a CA issued a certificate that you didn't request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate," Bartosz Niemczura, a software engineer on Facebook's Product Security team, said in a blog post.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

How to become the best IT MSP

This article provides guidance for managed service providers (MSPs) that want to grow their business. It is also useful for any IT service provider looking to move from the break-fix model to managed IT services.

Featured

Slideshows

Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Malwarebytes shoots the breeze with channel, prospects

Malwarebytes shoots the breeze with channel, prospects

A Kumeu, Auckland, winery was the venue for a Malwarebytes event for partner and prospect MSPs - with some straight shooting on the side. The half-day getaway, which featured an archery competition, lunch and wine-tasting aimed at bringing Malwarebytes' local New Zealand and top and prospective MSP partners together to celebrate recent local successes, and discuss the current state of malware in New Zealand. This was also a unique opportunity for local MSPs to learn about how they can get the most out of Malwarebytes' MSP program and offering, as more Kiwi businesses are targeted by malware.

Malwarebytes shoots the breeze with channel, prospects
Show Comments