Skip to main content
banner image
venafi logo

Facebook Unveils Four Updates to Its Certificate Transparency Tool

Facebook Unveils Four Updates to Its Certificate Transparency Tool

certificate transparency
December 20, 2017 | David Bisson

Facebook has announced four updates that are designed to help developers make better use of the information contained in its Certificate Transparency Tool.

On 14 December 2017, Facebook engineers Bartosz Niemczura and David Huang announced the changes close to one year after first unveiling the Certificate Transparency Tool.

Facebook's utility makes use of Certificate Transparency (CT), an open framework which helps log, audit, and monitor all publicly trusted Transport Layer Security (TLS) certificates issued by certificate authorities (CAs) on the web. The social network platform had been tracking Certificate Transparency logs internally since 2015 and found it to be useful. That's when it decided to build its Certificate Transparency Tool and make it freely available to everyone.

Niemczura and Huang explain how the tool works:

Facebook's Product Security team uses the Certificate Transparency framework to run a Certificate Transparency Monitor which consistently checks CT logs for newly issued certificates. When gathering this data, we fetch and store the publicly-published certificate information from a collection of Certificate Authorities that support a standardized CT logging format. We match every new certificate with a set of domain subscriptions in our system, and we notify respective subscribers about the updates. If a domain owner receives a notification that a CA issued a certificate for their domain without an explicit request, they will likely want to contact the CA, make sure their identity is not compromised, and consider revoking the certificate.

The benefits of using the Certificate Transparency Monitor are many. Large sites like Facebook can use the tool to detect unexpected certificates for their domains of which they were previously aware. At the same time, small sites that aren't actively monitoring their domains for certificates can leverage it to stay informed. Organizations of every size can then use this information to stay abreast of potential vulnerabilities and attacks.

To help developers get even more out of the Certificate Transparency Monitor, Facebook has issued four updates to its tool. The first change opens up Webhooks API, which allows developers to register a webhook and define domains that they'd like to monitor using the tool. Whatever endpoint the developer specifies will then receive a request about any newly issued certificate the tool detects for their monitored domain.

Niemczura makes the gain of this first change clear to eWEEK:

The advantage of using Webhook API is that the Webhooks feature allows apps to receive real-time notifications of changes to selected pieces of data. By using the Webhook API, a developer can simply receive a request whenever Facebook detects new certificates for their domains - all of the challenges mentioned earlier are being taken care of on Facebook's side.

Developers who use the Certificate Transparency Monitor can now also use an API that helps with querying certificates and receive certificate updates on Facebook via push notifications. All the while, Facebook will use the same backend system that powers Facebook Graph to monitor more than 20 publicly available CT Logs that currently document 40,000 new certificates every hour.

Looking ahead, the engineers at Facebook are also working on implementing Expect-CT, an HTTP web browser header for Facebook which websites can use to accept connections from only domains found in a CT Log. Niemczura hopes it will help grow the adoption of CT Logs:

When someone submits a valid certificate to a CT Log, the log responds with a signed certificate timestamp (SCT), which is simply a promise to add the certificate to the log within some time period. The Expect-CT header allows web host operators to instruct user agents, typically browsers, to expect valid SCTs to be served on connections to these hosts."

The usefulness of Certificate Transparency Monitor highlights the need for organizations to stay on top of their certificates and watch out for instances of abuse. To help companies with that responsibility, Venafi TrustNet uses Google CT log information as well as other data collected from its sensor network to identify misused certificates. Companies can use Venafi's solutions to then remediate those abused certificates, thereby protecting their brand against bad actors.

Defend your machine identitiesf against misuse today.

Like this blog? We think you will love this.
Featured Blog

What Are SSL Stripping Attacks?

A bit of history The creator of SSL strip vulnerability is Moxie Marlinspike, a well-kn

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more