Earlier this year, Facebook came across a bunch of duplicate SSL certificates for some of its own domains and revoked them immediately with the help of its own Certificate Transparency Monitoring Tool service.
Digital certificates are the backbone of our secure Internet, which protects sensitive information and communication, as well as authenticate systems and Internet users.
The Online Privacy relies heavily on SSL/TLS Certificates and encryption keys to protect millions of websites and applications.
As explained in our previous article on The Hacker News, the current Digital Certificate Management system and trusted Certificate Authorities (CAs) are not enough to prevent misuse of SSL certificates on the internet.
In short, there are hundreds of Certificate Authorities, trusted by your web browsers and operating systems, that has the ability to issue certificates for any domain, despite the fact you already have one purchased from another CA.
An improperly issued certificate could be used in man-in-the-middle (MITM) attacks to compromise encrypted HTTPS connections, putting millions of users' privacy at risk.
To solve CA trust issues, Google had launched 'Certificate Transparency' project in the year 2013, enabling anyone to detect easily fraudulent and stolen certificates.
Explained — What is Certificate Transparency
Before proceeding you should read: What is Certificate Transparency and how it could help individuals and companies to quickly identify if any Certificate Authority has issued forged certificates for their domains, mistakenly or maliciously.
Are you Back? OK.
First, let's talk about how Facebook and other large organizations manage their multiple subdomains, blogs, marketing and events websites?
Typically, these sites are built and hosted separately from the company's core platform. For example, the portal for Facebook Live (https://live.fb.com/) is hosted and managed by WordPress VIP services.
How Facebook Early Detected Duplicate SSL Certificates
Earlier this year, Let's Encrypt issued some duplicate digital certificates signed for multiple fb.com subdomains, and the Facebook's own-developed Certificate Transparency monitoring service immediately detected those certificates within an hour.
However, later the Facebook's core security team found that those certificates were actually requested by one of its hosting vendors, employed for managing fb.com subdomains for several of its microsites.
"The vendor had authorization from another Facebook team to use Let's Encrypt, but that was not communicated to our security team," David Huang and Brad Hill, Security Engineers at Facebook explain in a blog post.
"The investigation was completed in a matter of hours, and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts."
That's how Certificate Transparency and its monitoring service helps Facebook to manage all of its active digital certificates efficiently and quickly respond to such threats.
It is worth noting that Certificate Transparency system does not come with any in-built monitoring, and alert service i.e. CT do not automatically notify domain owners if any new certificate (legitimate/forged) has been issued for their domain.
So, the domain owners are themselves responsible for remaining vigilant and checking the logs regularly. Otherwise, if no one checks, suspicious behaviors will go undetected.
However, the Facebook security team was able to immediately detect fraudulent certificates with the help of its experimental monitoring tool.
Also Read: How Certificate Transparency helps to Detect Forged SSL Certificates
Also Read: How Certificate Transparency helps to Detect Forged SSL Certificates
How Does Facebook Certificate Transparency Monitoring Tool Work?
Simply… It continuously scans all public Certificate Transparency logs and alerts when any CA issues a new certificate for root domain and subdomains of facebook.com and fb.com.
"Facebook advocates for CT because it offers the ability to know the certificates a CT-enforcing browser will trust," the Facebook engineer says.
"We recommend other organizations start monitoring CT logs to understand issuance for domains they control."
Certificate Transparency overall is an open framework that involves browser vendors, monitors, as well as Certificate Authorities. Whereas, Facebook's CT Monitoring Service works independently and does not require additional participation from browser vendors or CAs.
Though Facebook's Certificate Transparency Monitoring service does not provide an option to revoke detected forged certificates, it provides information required to revoke rogue certs.
"The process for revoking them still requires that you ask the issuing CA to revoke them or ask the browser vendors to blacklist them," Facebook Spokesperson told The Hacker News via email.
On asking, Is it possible to monitor rogue certificates issued by CAs, who have not yet adopted CT, Facebook spokesperson replied:
"Technically, yes. Plenty of certs in the CT logs are uploaded by web crawlers (3rd-party) rather than by the issuing CAs themselves, so it is already possible to monitor certs issued by non-participating CAs."
For now, Facebook's Certificate Transparency Monitoring service is only being used for company's own domains.
But, Facebook confirmed that it would soon make its experimental Certificate Transparency Monitoring Service available to everyone for free in the coming months.
Certificate Transparency project aims to mitigate flaws in the structure of the SSL certificate system by introducing an extra layer of verification.
With Certificate Transparency, Digital signature itself will not be enough, and the web server also has to prove that the certificate is registered with CT log before it can be trusted.
Despite Google's hard effort on pushing every CA to adopt Certificate Transparency, its adoption is still in a very early stage.
Facebook Spokesperson says:
Currently, Google's Root Certificate Policy requires that EV (Extended Validation) certificates must be logged to CT. This means that CAs must log EV certs to CT (whether they like it or not). Otherwise, their EV certs won't work in modern browsers. However, CAs can still issue DV (Domain Validation) certs without logging them to CT.
Chrome is working on a short-term solution with a new "expect-ct" feature that will allow sites to detect any certificates seen by browsers that are hidden from CT logs. Long term, browsers may require CT for all certs, which will address this problem.
The idea behind this design is to encourage all Certificate Authorities to log every certificate before issuing them.