Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.
The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.
Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best, researchers could scan the entire web and collect those certificates being used on public servers. This made it very hard to discover cases where CAs issued certificates for domain names without the approval of those domains’ owners.
There have been many cases of certificates being incorrectly issued in the past because of technical or human error or because a CA’s infrastructure was compromised by hackers who then abused it to issue certificates for high-profile domains. Such certificates are valid and can be used in man-in-the-middle attacks to intercept traffic to HTTPS-protected websites.
Not all of the world’s CAs have adopted CT yet, but they will be forced to do so eventually. For example, Google plans to make CT compliance mandatory in the Chrome browser for all certificates issued after Oct. 1, 2017. This means that any certificate issued but not published to a CT log will not be trusted in Chrome.
Facebook initially built its CT monitoring service for internal use, and the service has helped the company’s security team discover at least two certificates issued for fb.com subdomains without its knowledge. The investigation revealed that the certificates were issued by a CA at the request of another team within Facebook that failed to notify the security team.
Like many other large organizations, Facebook uses various websites for marketing and special events that are outsourced to third-parties, the company said in an April blog post describing the incident. “Certificate Transparency monitoring allows us to track these sites even if we delegate direct management to another party.”
With the service able to detect a mis-issued certificate within one hour, Facebook decided to build a public tool on top of it to help other companies track certificates for their domains in a similar manner.
The tool allows users to find certificates that already exist for a domain name, as well as subscribe to receive email alerts when new certificates appear in CT logs for the domain.
“If you ever receive a notification that a CA issued a certificate that you didn’t request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate,” Bartosz Niemczura, a software engineer on Facebook’s Product Security team, said in a blog post.