top of page
Search
Apoorv Joshi

Facebook Built A Tool To Detect Rogue SSL Certificates

Facebook Detect Rogue SSL Certificate:-There are cases when domain owners have been issued TLS/SSL certificates without their consent. Facebook has successfully launched a tool with the help of which the owner can find out such certificates. This can be done by using data which is being collected from many Certificate Transparency (CT) logs. These logs are publicly accessible. As per the CT standard, every Certificate Authority (CA) is required to disclose the certificates that they issue.

As all the CAs around the world do not adopt CT, web security cannot be achieved a 100%. It is important to make it compulsory for all the CAs to adopt Certificate Transparency (CT). Google is the first one to take a drastic step by making CT mandatory in the Chrome browser after Oct 1, 2017. Certificate issued after this date without CT log will not be trusted by Chrome.

Facebook built a tool to detect rogue SSL certificates

Facebook had a good understanding of the importance of adapting CT and decided to build a tool for the public. This tool would help other companies to keep track of SSL certificate issues for their domains. With the help of this tool

The Domain owner can detect a miss-issued certificate within an hour

  • Keep track of existing certificates being used

  • An Owner can subscribe to receive email alerts when a new certificate appears in CT logs

In case you receive an alert on CA issuing certificate that you have not requested, follow these steps:

  • Contact concerned CA, who issued the certificate

  • Make sure that your identity is not compromised

  • Consider revoking that certificate

How Facebook’s tool is helpful for domain

Facebook has come up with a tool to make it easier for domain owner (or security team) to search and keep track of certificates associated with their domain through CT logs. CT maintains logs listing SSL certificates, which are publicly accessible. CT framework outlines various rules and procedures, such as:

  • How CAs and domain owners submit records of TLS certificates to public logs.

  • Audit the logs to ensure the certificates are properly added.

  • Monitor the logs to look for new entries.

Various threats CT addresses are

  • Mis-issued certificates

  • Stolen certificates

  • Rogue certificate authorities

From all the public CT logs, this tool fetches data periodically; it is then synced before performing ‘user-supplied query’. Whenever a new entry in the synced list is detected, users will receive an email notification. There are no restrictions on usage of this tool, so anyone can use it to search for logs for any domain.

bottom of page