Facebook helps companies detect rogue SSL certificates for domains
Security

Facebook helps companies detect rogue SSL certificates for domains

Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.

The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.

Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best, researchers could scan the entire web and collect those certificates being used on public servers. This made it very hard to discover cases where CAs issued certificates for domain names without the approval of those domains' owners.

There have been many cases of certificates being incorrectly issued in the past because of technical or human error or because a CA's infrastructure was compromised by hackers who then abused it to issue certificates for high-profile domains. Such certificates are valid and can be used in man-in-the-middle attacks to intercept traffic to HTTPS-protected websites.

Not all of the world's CAs have adopted CT yet, but they will be forced to do so eventually. For example, Google plans to make CT compliance mandatory in the Chrome browser for all certificates issued after Oct. 1, 2017. This means that any certificate issued but not published to a CT log will not be trusted in Chrome.

Facebook initially built its CT monitoring service for internal use, and the service has helped the company's security team discover at least two certificates issued for fb.com subdomains without its knowledge. The investigation revealed that the certificates were issued by a CA at the request of another team within Facebook that failed to notify the security team.

Like many other large organizations, Facebook uses various websites for marketing and special events that are outsourced to third-parties, the company said in an April blog post describing the incident. "Certificate Transparency monitoring allows us to track these sites even if we delegate direct management to another party."

With the service able to detect a mis-issued certificate within one hour, Facebook decided to build a public tool on top of it to help other companies track certificates for their domains in a similar manner.

The tool allows users to find certificates that already exist for a domain name, as well as subscribe to receive email alerts when new certificates appear in CT logs for the domain.

"If you ever receive a notification that a CA issued a certificate that you didn't request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate," Bartosz Niemczura, a software engineer on Facebook's Product Security team, said in a blog post.

IDG Insider

PREVIOUS ARTICLE

«Apple removes the battery-remaining estimate from macOS 10.12.2

NEXT ARTICLE

Facebook launches standalone Events app for Android»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?