3

As I understand it, Certificate Transparancy provides proof to the client that the presented certificate is publicly accessible in CT logs. The certificate being in the logs enables a domain owner to detect that a certificate has been issued for its domain that was not requested by him, which would be worrying.

The domain owner can then exchange a few harsh words with the certificate authority to get the malicious certificates revoked and possibly understand what is going on. If executed perfectly, this can bring down malicious certificates in hours/days instead of months/never - so far so good.

My question is, how is a domain owner expected to check for certificates issued for the domain it owns in practice?

I understand that it is theoretically possible to do so, but I don't believe many domain owners actively monitor CT logs?

Are domain owners supposed to periodically review the certificates issued to their domain? Are there tools available to get a notification when a certificate linked to a given domain is added to the logs?

In small to medium sized business I simply don't expect this to be a topic on the radar of the IT/security teams. In very large organisations, I would expect it would be hard to centrally monitor this as many departments may be able to request (legitimate) certificates for the websites/apps they manage for the business.

But without the domain owners monitoring the CT logs, anyone that can coerce a CA to issue a illegit certificate could also sign it in a CT log without being noticed – which would make the whole system pointless.

JazZeus
  • 43
  • 3
  • 1
    There are services available that will monitor the CT logs for a domain owner, and alert the domain owner whenever a certificate is issued for the domain. For example, see https://blog.cloudflare.com/introducing-certificate-transparency-monitoring/ – mti2935 Feb 28 '22 at 14:24
  • 1
    I wasn't aware, that's very useful. I ended up subscribing to Facebook's CT monitoring tool (https://developers.facebook.com/tools/ct/search/) as I am not a customer to Cloudfare. But is this it? Is this what all domain owners are supposed to do to protect their users from MITM / phishing attacks? – JazZeus Feb 28 '22 at 15:44
  • Sounds like a plan. Monitoring the CT logs will go a long way to preventing MITM attacks in cases where a legitimate CA unwittingly issues a cert for your site to an attacker. However, there are other ways that your site can be MITM'd. For example, an attacker can create a self-signed certificate for your site, and dupe the user into trusting it. WRT phishing, CT logs won't help, because the attacker is luring the user to a different domain (e.g. p4yp4l.com instead of paypal.com). You may also want to implement HSTS for your site, so that an attacker cannot mount an sslstrip attack. – mti2935 Feb 28 '22 at 16:01
  • As you can see, there is no 'one size fits all' solution when it comes to securing a web site. There are a multitude of different types of attacks that attackers can mount, so there are many defenses that must be put in place. But, monitoring CT logs and implementing HSTS is a good start. You might also want to look into hardening the TLS protocols and ciphers that your site uses, and implement a strict content security policy (CSP). – mti2935 Feb 28 '22 at 16:06

0 Answers0