Connect with us

Hi, what are you looking for?


Security Infrastructure

Facebook Releases New Certificate Transparency Tools

Following the release of the

Following the release of the Certificate Transparency Monitoring utility in December 2016, Facebook has decided to release new tools for developers using the Certificate Transparency framework.

Last year’s tool was designed to provide access to data collected through Facebook’s own service monitoring the issuance of TLS certificates. It leverages Google’s Certificate Transparency (CT) framework, which can detect mis-issued TLS certificates and stop attempts to leverage them to intercept HTTPS traffic.

The tool allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.

With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates, the company says.

“We match every new certificate with a set of domain subscriptions in our system, and we notify respective subscribers about the updates. If a domain owner receives a notification that a CA issued a certificate for their domain without an explicit request, they will likely want to contact the CA, make sure their identity is not compromised, and consider revoking the certificate,” Facebook explains.

To provide push-based integrations with its system, Facebook is now releasing Webhooks API, which allows developers to register a webhook and define domains for monitoring instead of periodically pulling certificates from external sources or waiting for notifications. Each time a new certificate is issued for these domains, information about the cert is sent to the developer-specified endpoint.

Additionally, the social media giant announced the release of an API that helps querying certificates programmatically. Since receiving detailed information about the certificates and analyzing millions without proper infrastructure is difficult, the interface was designed to provide certificates metadata for the domain names that match a given query.

Advertisement. Scroll to continue reading.

Developers taking advantage of the Certificate Transparency features were being initially notified via email on new certificates issued for their domains. Starting this year, everyone can see certificate updates on Facebook via push notifications and all developers creating a subscription at can take advantage of this feature.

Facebook is currently monitoring over 20 publicly available CT logs and says it sends around 2,500 notifications every day. Around 40,000 new certificates are observed in CT logs every hour and that number is expected to grow next year, when Google Chrome will start requiring all websites certificates to be logged in the CT logs. To ensure scalability, the same backend system that powers the Facebook Graph is used to search through the logged certificates.

The social network company also notes that they are currently working on implementing Expect-CT header, meaning that compatible browsers will require that certificates used to access Facebook are logged to public CT logs first.

Related: Facebook Launches Certificate Transparency Monitoring Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency,...


Identity and access governance vendor Saviynt has closed a $205 million financing round.