• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Certificate Transparency Monitoring

February 16, 2019 by Mister PKI Leave a Comment

With the certificate transparency (CT) enforcement by Chrome, all publicly trusted TLS certificates are now logged in a distributed manner to multiple CT logs which brings us to discuss certificate transparency monitoring. The irony here is that while a PKI is based on trust, you cannot trust it enough to believe there will never be a mis-issued or unauthorized TLS certificate for a given domain. To help mitigate that, you may monitor CT logs to be informed of any publicly trusted TLS certificates issued for the domain of interest.

You may wish to do certificate transparency monitoring of CT logs to detect unauthorized issuance of a certificate in a domain, or for a certificate issued in a similar domain that could be used for phishing attempts. While the internet is moving closer to 100% TLS coverage, attackers are upping their game and getting publicly trusted TLS certiifcates for domains similar to legitimate domains to help in their luring of individuals to give up personal and private information.

For example, as the owner of example.com, you should also monitor for certificates issued to exemple.com, exampla.com, etc. Unfortunately, phishing attempts are leveraging HTTPS but with the CT infrastructure in place, it is now much easier to monitor malicious activity for the domain you own.

What to do if you detect a potentially mis-issued certificate?

  • Contact the CA for possible revocation of the certificate.
  • Reach out to domain registrars to suspend a malicious domain.
  • Contact browsers to block malicious sites

While this isn’t an exhaustive list of available monitors, here are few worth analyzing for your business or personal needs.

Cert Spotter (https://sslmate.com/certspotter/)

CT Advisor (https://ctadvisor.lolware.net/)

Facebook’s Monitor (https://developers.facebook.com/tools/ct/search/)

Cali Dog Security Axeman (https://medium.com/cali-dog-security/retrieving-storing-and-querying-250m-certificates-like-a-boss-31b1ce2dfcf8)

Cali Dog Security Cert Stream (https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067)

You may also manually monitor logs on an as need basis (crt.sh)

Read all blog content.


Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Proxy Addresses Active Directory
  • Windows Private Key Permissions
  • Install .NET 3.5 on Windows Server 2019
  • Netscaler SSL Redirect
  • How to mount NFS share on Linux

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023