Certificate Transparency

Certificate Transparency

Certificate Transparency is a framework that allows you to identify improperly issued TLS certificates and potential phishing domains.

Background

Transport Layer Security (TLS) allows you to securely exchange data between clients and servers. Web browsers use TLS certificates to perform encryption and also to identify trusted and untrusted web sites. If a web browser encounters an untrusted certificate it will warn the user that the site is untrusted and to proceed with caution.

In order to prevent visitors to your site from seeing an untrusted web site warning when using TLS, you must request a publicly-trusted certificate from a Certificate Authority (CA). There are hundreds of CAs, and they all perform various actions to verify your digital identity before issuing you a publicly-trusted certificate.

Problems can arise, however, if a CA is compromised or mis-issues a publicly-trusted certificate. When this happens it may take weeks before the CA can identify and revoke any improperly issued certificates.

To address this problem, the Certificate Transparency (CT) open framework has been introduced. The CT framework allows anyone to log, audit, and monitor publicly-trusted TLS certificates newly issued by any CA.

To help you take advantage of this framework, we have a built a free monitoring tool to help you discover any certificates that have been newly issued for specific domains.

Certificate Transparency Monitoring Tool

Our Certificate Transparency Monitoring Tool works by continuously fetching and storing data from a set of known public Certificate Authority CT logs. You can use our Certificate Transparency API to search the data store for newly issued certificates, or to subscribe domains for certificate alerts and phishing alerts.

Searching for Certificates

You can use our Certificate Transparency API or web interface to search for certificates by domain.

Certificate Alerts

By subscribing a domain to certificate alerts, we can notify you whenever a new certificate has been issued for that domain.

To use certificate alerts

  1. Set up a certificate alert webhook.
  2. Use the Certificate Transparency API (or our web interface) to subscribe your domain for certificate alerts.
  3. Set up a script that can parse certificate alert webhook payloads and immediately use its contents to search for certificates through the API.

We will the begin sending you webhook notifications whenever new certificates are issued for any of the subscribed domains.

If you discover that a CA has issued a new certificate that you didn't request, for a domain that you own, you can contact the CA to make sure your digital identity has not been compromised and to determine if the certificate should be revoked.

Phishing Alerts

Bad actors can drive unsuspecting visitors to phishing websites through various domain-related tactics, including obtaining TLS certificates for domain names that:

  • use a legitimate domain name as a subdomain of an evil domain (facebook.com-phishing.website.com),
  • use easily confused unicode characters (facÒ½book.com), or
  • look otherwise similar to a legitimate domain.

By subscribing a legitimate domain to phishing alerts, we can notify you whenever a new certificate is issued for a domain that may be phishing the legitimate domain.

If you receive a notification and determine that a suspicious domain may be phishing your legitimate domain, you can take several steps:

  • Reach out to domain registrars to suspend domain in case of intellectual proprietary infringement.
  • Reach out to browser vendors to add domains to the block list and display UI warnings regarding insecure websites.
  • Reach out to Certificate Authorities to revoke certificates for any potential phishing domains.
  • Alert people who use your service to be vigilant of potential attacks.

To use phishing alerts:

  1. Set up a phishing alert webhook.
  2. Use the Certificate Transparency API (or our web interface) to subscribe your domain for phishing alerts.
  3. Set up a script that can parse phishing alert webhook payloads and immediately use its contents to search for certificates through the API.

We will then begin sending you webhook notifications whenever new certificates are issued for domains that match our phishing criteria and thus may be phishing any of the subscribed domains.

Web Interface

If you don't want to use the webhook API, you can instead use our web interface to search for certificates and set up email, push, and Facebook on-site notifications.