With the certificate transparency (CT) enforcement by Chrome, all publicly trusted TLS certificates are now logged in a distributed manner to multiple CT logs which brings us to discuss certificate transparency monitoring. The irony here is that while a PKI is based on trust, you cannot trust it enough to believe there will never be a
You may wish to do certificate transparency monitoring of CT logs to detect unauthorized issuance of a certificate in a domain, or for a certificate issued in a similar domain that could be used for phishing attempts. While the internet is moving closer to 100% TLS coverage, attackers are upping their game and getting publicly trusted TLS certiifcates for domains similar to legitimate domains to help in their luring of individuals to give up personal and private information.
For example, as the owner of example.com, you should also monitor for certificates issued to exemple.com, exampla.com, etc. Unfortunately, phishing attempts are leveraging HTTPS but with the CT infrastructure in place, it is now much easier to monitor malicious activity for the domain you own.
What to do if you detect a potentially mis-issued certificate?
- Contact the CA for possible revocation of the certificate.
- Reach out to domain registrars to suspend a malicious domain.
- Contact browsers to block malicious sites
While this isn’t an exhaustive list of available monitors, here are few worth analyzing for your business or personal needs.
Cert Spotter (https://sslmate.com/certspotter/)
CT Advisor (https://ctadvisor.lolware.net/)
Facebook’s Monitor (https://developers.facebook.com/tools/ct/search/)
Cali Dog Security Axeman (https://medium.com/cali-dog-security/retrieving-storing-and-querying-250m-certificates-like-a-boss-31b1ce2dfcf8)
Cali Dog Security Cert Stream (https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067)
You may also manually monitor logs on an as need basis (crt.sh)
Leave a Reply