Facebook's utility makes use of Certificate Transparency (CT), an open framework which helps log, audit, and monitor all publicly trusted Transport Layer Security (TLS) certificates issued by certificate authorities (CAs) on the web. The social network platform had been tracking Certificate Transparency logs internally since 2015 and found it to be useful. That's when it decided to build its Certificate Transparency Tool and make it freely available to everyone.
Niemczura and Huang explain how the tool works:
Facebook's Product Security team uses the Certificate Transparency framework to run a Certificate Transparency Monitor which consistently checks CT logs for newly issued certificates. When gathering this data, we fetch and store the publicly-published certificate information from a collection of Certificate Authorities that support a standardized CT logging format. We match every new certificate with a set of domain subscriptions in our system, and we notify respective subscribers about the updates. If a domain owner receives a notification that a CA issued a certificate for their domain without an explicit request, they will likely want to contact the CA, make sure their identity is not compromised, and consider revoking the certificate.
The benefits of using the Certificate Transparency Monitor are many. Large sites like Facebook can use the tool to detect unexpected certificates for their domains of which they were previously aware. At the same time, small sites that aren't actively monitoring their domains for certificates can leverage it to stay informed. Organizations of every size can then use this information to stay abreast of potential vulnerabilities and attacks.
To help developers get even more out of the Certificate Transparency Monitor, Facebook has issued four updates to its tool. The first change opens up Webhooks API, which allows developers to register a webhook and define domains that they'd like to monitor using the tool. Whatever endpoint the developer specifies will then receive a request about any newly issued certificate the tool detects for their monitored domain.
Niemczura makes the gain of this first change clear to eWEEK:
The advantage of using Webhook API is that the Webhooks feature allows apps to receive real-time notifications of changes to selected pieces of data. By using the Webhook API, a developer can simply receive a request whenever Facebook detects new certificates for their domains - all of the challenges mentioned earlier are being taken care of on Facebook's side.
Developers who use the Certificate Transparency Monitor can now also use an API that helps with querying certificates and receive certificate updates on Facebook via push notifications. All the while, Facebook will use the same backend system that powers Facebook Graph to monitor more than 20 publicly available CT Logs that currently document 40,000 new certificates every hour.
Looking ahead, the engineers at Facebook are also working on implementing Expect-CT, an HTTP web browser header for Facebook which websites can use to accept connections from only domains found in a CT Log. Niemczura hopes it will help grow the adoption of CT Logs:
When someone submits a valid certificate to a CT Log, the log responds with a signed certificate timestamp (SCT), which is simply a promise to add the certificate to the log within some time period. The Expect-CT header allows web host operators to instruct user agents, typically browsers, to expect valid SCTs to be served on connections to these hosts."
The usefulness of Certificate Transparency Monitor highlights the need for organizations to stay on top of their certificates and watch out for instances of abuse. To help companies with that responsibility, Venafi TrustNet uses Google CT log information as well as other data collected from its sensor network to identify misused certificates. Companies can use Venafi's solutions to then remediate those abused certificates, thereby protecting their brand against bad actors.