Explained — What is Certificate TransparencyWhat is Certificate Transparency and how it could help individuals and companies to quickly identify if any Certificate Authority has issued forged certificates for their domains, mistakenly or maliciously.
How Facebook Early Detected Duplicate SSL Certificates
"The vendor had authorization from another Facebook team to use Let's Encrypt, but that was not communicated to our security team," David Huang and Brad Hill, Security Engineers at Facebook explain in a blog post.
"The investigation was completed in a matter of hours, and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts."
Also Read: How Certificate Transparency helps to Detect Forged SSL Certificates
How Does Facebook Certificate Transparency Monitoring Tool Work?
Simply… It continuously scans all public Certificate Transparency logs and alerts when any CA issues a new certificate for root domain and subdomains of facebook.com and fb.com.
"Facebook advocates for CT because it offers the ability to know the certificates a CT-enforcing browser will trust," the Facebook engineer says.
"We recommend other organizations start monitoring CT logs to understand issuance for domains they control."
"Technically, yes. Plenty of certs in the CT logs are uploaded by web crawlers (3rd-party) rather than by the issuing CAs themselves, so it is already possible to monitor certs issued by non-participating CAs."
Currently, Google's Root Certificate Policy requires that EV (Extended Validation) certificates must be logged to CT. This means that CAs must log EV certs to CT (whether they like it or not). Otherwise, their EV certs won't work in modern browsers. However, CAs can still issue DV (Domain Validation) certs without logging them to CT.
Chrome is working on a short-term solution with a new "expect-ct" feature that will allow sites to detect any certificates seen by browsers that are hidden from CT logs. Long term, browsers may require CT for all certs, which will address this problem.