Certificate Transparency is a publicly logging of Transport Layer Security (TLS) certificates. This open framework is defined in the experimental RFC 6962 1https://datatracker.ietf.org/doc/html/rfc6962 (Request For Comments).
What is certificate transparency and its uses?
Before providing details on Certificate Transparency, it is essential to recall how certificates are issued and what are their goals.
Transport Layer Security
Transport Layer Security, the successor of Secure Sockets Layer (SSL), is a standard cryptographic protocol designated to provide authentication, confidentiality, and data integrity between two communicating computer applications.
This cryptographic protocol is partly based on asymmetric encryption using public-key cryptography. Public-key cryptography uses a key pair for encryption and decryption, rather than just a single key. The protocol uses this cryptography to establish a master secret shared between the client and the server. This makes it possible for information exchanged in a fast and secure way via symmetrical encryption.
The TLS implementation is known to be widely used on HTTP protocol to secure communications. This secure extension of HTTP is called HTTPS (Hypertext Transfer Protocol Secure). Browsers have chosen to show this as a sign of trust by displaying users a small padlock next to the URL when HTTPS is used or a crossed-out padlock when HTTPS is not used.
Nowadays, most websites are using HTTPS. In fact, according to Firefox’s telemetry, more than 80% of pages are loaded using HTTPS2https://letsencrypt.org/stats/. In this way, the use of digital certificates is essential for this protocol.
Public Key Infrastructure
TLS relies on trusted third-party certificate authorities (CA) to establish the authenticity of certificates. CA vendors must follow a certain amount of security rules3https://docs.microsoft.com/en-us/previous-versions//cc751157(v=technet.10)?redirectedfrom=MSDN for their certificates to be integrated into users’ browsers.
Then, the browsers trust CA Certificates to check the validity of the websites’ presented certificates. A digital certificate confirms the ownership of a public key. This allows parties to rely upon signatures made by the private key that corresponds to the certified public key.
Thus, stakeholders can rely on the signatures made by the private key that corresponds to the certified public key. Some browsers have taken the step of forcing certification authorities to take part in this system and to publish all their certificates. Google Chrome requires Certificate Transparency logs for the website you are visiting. Otherwise, users will be prevented with a warning message that there are visiting websites using non-compliant TLS certificates.
The need for certificates issuing public logging
Before the RFC 6962, requiring public logging, it was excessively difficult or even impossible to identify fraudulent certificates. The definition of this RFC has been released a few months after the compromise of a certification authority DigiNotar 4https://en.wikipedia.org/wiki/DigiNotar. This compromise had led the Dutch government to take over the operational management of the company.
Moreover, a compromise that can issue trusted certificates 5https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Certificate_hacking had also been observed a few months before the compromise DigiNotar. The final goal of public logging is to record all certificates issued by publicly trusted certification authorities to allow anyone to audit the certificate authority activities.
When a TLS certificate is issued, some information is present in this certificate. It includes especially:
- The serial number,
- The issuer, i.e., the trusted certification authority that issued the certificate,
- The subject, i.e., the purpose of the certificate, what it will be used for (email, domain, etc.)
- The validity of the certificate, i.e., the start and end dates of the certificate validity.
As the audit is made possible by the Certificate Transparency, issuing a certificate for a domain without the domain owner’s knowledge is theoretically impossible as everyone has access to the list of certificates.
In practice, given the number of certificates published, it is very difficult to verify these publications which are estimated at about 6 billion since the edition of the Certificate Transparency RFC in 2013.
For example, to take the scale of the volumetry, during the month of January 2022, Excellium Services processed 313.769.277 certificates, which means more than 10 million per day.
Various organizations or projects are trying to provide public access to the list of published certificates Certificate Transparency, including crt.sh (Certificate Search) developed by Sectigo (a renowned Certificate Authority).
Fields inside a certificate and examples
To better understand the interesting fields that these certificates contain, let’s deep dive into examples. We’ll take for the purpose of this first demonstration, the Excellium Services’ certificate that one can find on our website 6https://crt.sh/?id=6063368936.
- The first certificate (serial number 50:c8:3a:69:1c:61:8d:0c:18:e5:d6:02:bf:99:4b:50) is a leaf certificate, this means that it cannot be used to sign other certificates.
- This certificate has been issued by Sectigo Limited and will be valid until February 28 23:59:59 2023 GMT. As mentioned above, the subject that corresponds to the purpose of the certificate mentions Excellium Services.
- In this certificate, there is also the information called ‘X.509’ which is a standard defining the format of public-key certificates.
- In these X.509 extensions, there is Subject Alternative Name (SAN) that allows the issuer to specify additional hostnames to use.
- Here it remains quite simple because the subject corresponds to the same entity as the SAN extensions.
However, the analysis can be much more complex than expected, especially when the subject matter is completely different from the extensions provided.
On the certificate 03:9a:c5:14:e8:45:40:29:99:84:3e:ba:9d:4d:97:a7:a0:d17https://www.infoworld.com/article/3019926/cyber-criminals-abusing-free-lets-encrypt-certificates.html ,tls.automattic.com is the subject of the certificate whereas the SANs contain a large set of (apparently) unrelated domains including excellium-services.com.
This is a certificate issued for a set of websites that run under the WordPress framework. WordPress automatically manages the certificates on the websites they manage. To do this, they use certificates from the Let’s Encrypt Certification Authority which is the largest issuer of free certificates.
As described on their website8https://wordpress.com/support/https-ssl/, they use tls.automattic.com in the Common Name of the subject to improve their performance and to simplify the process of issuing certificates.
EyeDeep to the rescue
Thus, the data present in this certificate can be used to actively look for certificates that want to impersonate you or your brand. That is why this monitoring of certificates is carried out by Excellium Services via EyeDeep.
EyeDeep is a product from Excellium Services designed to monitor data from different sources to find out any data within the customer interest (data leaks or potential threats).
In this context, one of EyeDeep’s functionalities is the Certificate Transparency monitoring. EyeDeep continuously listens to certificate transparency providers for the creation or update of certificates. In addition to solving the problems of data volumes to be ingested, this tool takes customer inputs to find certificates that could be used by malicious actors.
This can help find typosquatting domains, subdomains with a monitored keyword or domain. A typosquatting is an URL hijacking that relies on hijacking a brand. For example, if your company is called ‘ACME’, a malicious actor could register a certificate with a domain name such as aacme.com.
Another example is a certificate with a subdomain named acme.company.com could be issued and used for malicious actions.
In both of these cases, attackers could take advantage of the fact that the browser padlock appears on the reserved domain or subdomain to mislead users and make them believe they are on a secure site that belongs to you. This is exactly what EyeDeep Certificate Transparency can detect and warn you about. This automated system is reinforced by human analysis, for False Positives triage.
Human expertise in the process
Indeed, when a hit matches, a human triage is performed to qualify the finding. Depending on the classification, threat or false positive, a notification is sent to you. The analyst’s work is essential because, given the volume of data processed, a large number of results are false positives. Staying with the example of the ACME company, all certificates issued of a company such as MacMedics, or a malicious actor trying to impersonate the AC Milan club and issuing an acmelan.com certificate will raise false-positive alerts. These are only two examples, but these figures are easily multiplied with a large number of keywords, especially given the volume of the 10 million processed certificates per day.
What to do with your EyeDeep Certificate Transparency reports?
When the alert is validated, you have the option to escalate the alert to CERT-XLM. Then, CERT-XLM can request the revocation of the issued certificate with all the means at their disposal to some Certificate Authorities.
CERT-XLM can also proceed to a domain takedown. The CERT-XLM noted that not all Certificate Authorities were thrilled with the idea of revoking certificates that would be used by cybercriminals.
Malicious threat actors are abusing free certificates and, in particular those of Let’s Encrypt 9https://www.infoworld.com/article/3019926/cyber-criminals-abusing-free-lets-encrypt-certificates.html.
When issuing a certificate, Let’s Encrypt will check the status of the domain on the Google Safe Browsing API. Once issued, they will not reverse their decision and will not revoke any certificate even if they are tagged as malicious afterwards on Google Safe Browsing.
This problem is accentuated by the fact that it is possible to generate certificates for websites that are not online, this complicates the triage task of analysts who may be faced with unanswered questions.
Obviously, the takedown domain will not always be easy since it is possible that the website is not online. Indeed, It will be hard to convince the stakeholders (host services providers and registrars) to close a site or a domain that is not yet online.
Certificate Transparency in a nutshell
In conclusion, Certificate Transparency is an open framework that enables transparency and thus allows for the auditing of all issued certificates by the publicly trusted Certification Authorities. This ecosystem allows efficient identification of mistakenly or maliciously issued certificates and that is why these detection mechanisms are already present in EyeDeep Certificate Transaprency , a product that looks after your interests.