I am talking about the traditional Digital Certificate Management System… the weakest link, which is completely based on trust, and it has already been broken several times.
To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe.
In this article I am going to explain:
- The structural flaw in current Digital Certificate Management system.
- Why Certificate Authorities (CA) have lost the Trust.
- How Certificate Transparency (CT) fixes issues in the SSL certificate system.
- How to early detect every SSL Certificates issued for your Domain, legitimate or rogue?
First, you need to know Certificate Authority and its role:
Certificate Authority and its Role
There are hundreds of such trusted organizations that have the power to issue valid SSL certificate for any domain you own, despite the fact you already have one purchased from another CA.
...and that's the biggest loophole in the CA system.
SSL Chain-of-Trust is Broken!
Last year, Google discovered that Symantec (one of the CAs) had improperly issued a duplicate certificate for google.com to someone else, apparently mistakenly.
This was not the first time when the power of CA was abused or mistakenly used to issue forged digital certificates that put millions of Internet users' privacy at risk.
In March 2011, Comodo, a popular Certificate Authority, was hacked to issue fraudulent certificates for popular domains, including mail.google.com, addons.mozilla.org, and login.yahoo.com.
In the same year, the Dutch certificate authority DigiNotar was also compromised and issued massive amounts of fraudulent certificates.
Since the chain of trust has been broken, millions of users were subject to the man-in-the-middle attack.
Also Read: How CT Monitoring Tool Helped Facebook to Early Detect Fake SSL Certs
Also Read: How CT Monitoring Tool Helped Facebook to Early Detect Fake SSL Certs
Further, the documents leaked by Edward Snowden revealed that the NSA (National Security Agency) intercepted and cracked massive numbers of HTTPS encrypted web sessions, indicating that some so-called trusted CAs are widely suspected to be controlled or under the authority of Governments.
What if, Government asks any of these 'trusted-turn-evil' certificate authorities to issue duplicate SSL certificates for secure and popular websites like, Facebook, Google or Yahoo?
That's not just my speculation; it has already happened in the past when Government organizations and state-sponsored hackers have abused trusted CAs to get fake digital certs for popular domains to spy on users.
Examples of Incidents that involved Governments
2.) In late 2013, Google discovered fake digital certificates for its domains were being used by the French government agency to perform man-in-the-middle attacks.
You can see here, how easy it is to compromise the security of HTTPS websites protected by other well-behaved CAs.
Do you still Blindly Trust CA Organizations?
The DigiNotar and Comodo incidents worked as a wake-up call, ending an era of blindly trusting CAs to issue digital certificates.
Problem: How are you supposed to check whether a rogue certificate for your domain has been issued to someone else, probably a malicious attacker?
Solution: Certificate Transparency or CT, a public service that allows individuals and companies to monitor how many digital security certificates have been issued secretly for their domains.
In 2013, Google started an industry-wide initiative, called Certificate Transparency (CT), an open framework to log, audit, and monitor certificates that CAs have issued.
What is Certificate Transparency system?
- Certificate Logs
- Certificate Monitors
- Certificate Auditors
Certificate Transparency requires CAs to publicly declare (to Certificate Log) every digital certificate they have generated.
Certificate Log offers users a way to look up all of the digital certificates that have been issued for a given domain name.
It is worth noting that Certificate Transparency model does not replace traditional CA-based authentication and verification procedure though it is an additional way to verify that your certificate is unique.
Certificate logs have three important qualities:
1. Append-only: Certificates records can only be added to a log. They can not be deleted, modified, or retroactively inserted into a log.
2. Cryptographically assured: Certificates Logs use a special cryptographic mechanism known as 'Merkle Tree Hashes' to prevent tampering.
3. Publicly auditable: Anyone can query a log and verify its behavior, or verify that an SSL certificate has been legitimately appended to the log.
In CT, Digital Certificate contains a Signed Certificate Timestamp (SCT), which proves that it has been submitted to the log before being issued.
Google, DigiCert, Symantec, and a few other CAs are currently hosting public logs.
Although CT does not prevent CA from issuing forged certificates, it makes the process of detecting rogue certificates much easier.
Such transparency offers them the ability to quickly identify digital certificates that have been issued mistakenly or maliciously and help them mitigate security concerns, such as man-in-the-middle attack.
Earlier this year, Certificate Transparency system and monitoring service helped Facebook security team to early detect duplicate SSL certificates issued for multiple fb.com subdomains.
In a separate article, I have provided details about Facebook's Certificate Transparency Monitoring Service that is designed to discover SSL issues instantly and automatically.
Facebook confirmed to The Hacker News (THN) that it will soon make its experimental Certificate Transparency Monitoring Service available for free to the broader community in the coming months.
Certificate Transparency Search tool
Sounds interesting?
Comodo has launched a Certificate Transparency Search tool that lists all issued certificates for any given domain name.
Or, try Google's Certificate Transparency Lookup Tool to check all certificates present in public Certificate Transparency logs that have been issued for a given hostname
Or, try Google's Certificate Transparency Lookup Tool to check all certificates present in public Certificate Transparency logs that have been issued for a given hostname
If you find a fraud certificate issued for your domain, report respective CA and address it immediately.
