Security Experts:

Facebook Launches Certificate Transparency Monitoring Tool

Facebook has launched a free online tool, named Certificate Transparency Monitoring, that allows users to obtain information on the digital certificates issued for a specified domain.

Google’s Certificate Transparency (CT) project provides an open framework for monitoring and auditing TLS certificates in near real time in an effort to help organizations detect malicious or mistakenly-issued certificates.

Facebook has been running a CT monitoring service of its own since last year and it has now decided to make it available to the public.

The social media giant continuously checks the major public CT logs for certificates issued on behalf of its domains, and in the process it collects certificate information from various certificate authorities (CAs).

Through its Certificate Transparency Monitoring tool, the company wants to provide users access to the data it has collected and allow them to monitor domains that are of interest. In addition to searching for certificates associated with a specified domain, users can subscribe to a domain and Facebook will notify them via email if new certificates are identified.

“Certificate Authorities issue hundreds of certificates every minute, but by using Facebook infrastructure, we can quickly process large amounts of data and provide a reliable and efficient search function for certificates listed for a domain,” explained Bartosz Niemczura, a software engineer on Facebook’s product security team.

Niemczura pointed out that since CT logs are public information, the tool can be used by anyone, not just webmasters. However, he cautioned that not all certificates are submitted to CT logs.

“Facebook’s support for Certificate Transparency is a great step forward,” Kevin Bocek, VP of Security Strategy and Threat Intelligence for Venafi, told SecurityWeek. “Cryptographic keys and digital certificates provide the foundations of trust and privacy for the global economy yet we blindly trust them. Facebook’s new certificate transparency monitoring is one more sign the world is finally waking up to the problem of certificate abuse.”

“The ultimate goal of certificate transparency is to stop abuse of issuance - a key concern with the rise of free certificate offerings like Let’s Encrypt. As enterprises finally acknowledge the impact of digital certificate abuse and theft, they’re increasingly turning to Certificate Reputation, which builds upon certificate transparency and empowers businesses to actively decide which certificates should be trusted,” Bocek added. “As we look towards 2017, I expect - and hope - to see more new innovations like this to solve the problem of malicious certificate use.”

This is not the only tool released by Facebook in recent months. In September, the company announced the availability of a Windows version for Osquery, an instrumentation framework designed for exploring operating systems via SQL-based queries.

Related: Chrome's Certificate Transparency to Become Mandatory

Related: Google to Distrust WoSign, StartCom Certificates

Related: Google Adds Certificate Transparency Log for Untrusted CAs

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.