Cert Transparency - secuguru/security-terms GitHub Wiki

Certificate Transparency (CT) is an open framework and security standard designed to detect and prevent the issuance of rogue or misused SSL/TLS certificates by maintaining publicly auditable logs of certificates. It helps ensure the integrity and trustworthiness of the public key infrastructure (PKI).

1. Purpose of Certificate Transparency

  • Detect Misissued Certificates:
    • Ensure that certificate authorities (CAs) are not issuing certificates without the domain owner’s knowledge or consent.
  • Prevent Rogue Certificates:
    • Make it harder for attackers or malicious entities to exploit fake or fraudulent certificates.
  • Enable Auditing:
    • Allow anyone (e.g., website owners, security researchers) to monitor and audit certificate issuance in near real-time.

2. How Certificate Transparency Works

CT introduces three main components:

a. Public Logs

  • Logs are append-only and publicly accessible, listing all certificates issued by participating CAs.
  • Each certificate is cryptographically signed to ensure integrity.
  • Logs include:
    • Domain name.
    • Certificate details (e.g., issuer, validity period).
  • Examples:
    • Google’s Argon and Xenon logs.
    • Cloudflare’s Nimbus log.

b. Monitors

  • Systems or entities that inspect logs for suspicious certificates.
  • Monitors may:
    • Alert domain owners about unauthorized certificate issuance.
    • Track issuance patterns to identify anomalies.

c. Auditors

  • Tools or entities that verify the integrity and completeness of log entries.
  • Ensure that logs are consistent and adhere to the CT framework.

3. Key Features of Certificate Transparency

  • Append-Only Logs:
    • Entries cannot be deleted or modified once added.
    • Logs use Merkle Trees for cryptographic consistency proofs.
  • Public Verification:
    • Anyone can query and verify certificates against CT logs.
  • Near Real-Time Updates:
    • Logs are updated continuously, providing quick visibility into new certificates.

4. Benefits of Certificate Transparency

  1. Improved Trust in PKI:
  • Exposes misbehavior by CAs, fostering greater accountability.
  1. Early Detection:
  • Quickly identify and revoke unauthorized or malicious certificates.
  1. Enhanced Security:
  • Reduces risks of phishing, MITM attacks, and impersonation via rogue certificates.
  1. Compliance:
  • Many browsers require CT compliance for extended validation (EV) and domain validation (DV) certificates.

5. Browser and CA Requirements

  • Browser Enforcement:
    • Modern browsers like Chrome and Safari enforce CT policies:
      • Require certificates to be logged in CT to be trusted.
      • Display warnings for certificates not logged in CT.
    • CA Participation:
      • CAs must log certificates in public CT logs to remain trusted by browsers.

6. Verifying Certificates Using CT Logs

You can verify a certificate’s transparency by checking it against public CT logs:

a. Tools for Verification

  • crt.sh:
    • A public tool for searching and inspecting CT logs.
    • Example:
      • Search for all certificates issued to example.com.
    • Google Transparency Report:
      • View certificates logged by Google’s CT logs.
    • Command-Line Tools:
      • Use OpenSSL or third-party tools to extract SCTs (Signed Certificate Timestamps) and validate them.

b. Signed Certificate Timestamps (SCTs)

  • SCTs are proof that a certificate has been logged in a CT log.
  • They are included in:
    • The certificate itself.
    • The TLS handshake.
    • The OCSP response.

7. Examples of Use Cases

a. Domain Owners

  • Monitor CT logs to ensure no unauthorized certificates are issued for their domains.

b. Certificate Authorities

  • Log all issued certificates to comply with browser and industry standards.

c. Security Researchers

  • Audit CT logs to identify trends or anomalies in certificate issuance.

8. Real-World Examples of Certificate Transparency Usage

  1. Preventing Misissued Certificates:
  • Google discovered certificates issued for its domains by Symantec in 2015, leading to stricter CT enforcement.
  1. Monitoring Domain Certificates:
  • Organizations like Facebook and Cloudflare actively monitor CT logs for unauthorized certificates.
  1. Identifying Threats:
  • Researchers use CT to detect phishing campaigns using fraudulent certificates.

9. Challenges and Limitations

  1. Log Trustworthiness:
  • Logs themselves must be secure and tamper-proof to maintain integrity.
  1. Incomplete Adoption:
  • Not all CAs or certificates are logged, reducing visibility in some cases.
  1. Scalability:
  • Managing and auditing large-scale logs can be resource-intensive.

10. Summary

Aspect Details
What is CT? A framework for logging and auditing SSL/TLS certificates in public logs.
Core Components Public logs, monitors, auditors.
Key Mechanism Append-only logs with cryptographic integrity (Merkle Trees).
Benefits Detects rogue certificates, improves PKI trust, enables auditing.
Browser Enforcement Required by browsers like Chrome and Safari for certificate validation.
Verification Tools crt.sh, Google Transparency Report, OpenSSL.

11. Conclusion

Certificate Transparency is a critical component of modern web security, offering transparency, accountability, and early detection of misissued or malicious SSL/TLS certificates. By leveraging CT logs and tools, organizations and individuals can enhance trust in the internet’s public key infrastructure and prevent security breaches caused by rogue certificates.