A-Team has rolled out another improvement to our monitoring service: Certificate Transparency (CT) monitoring. In short we now use the CT system to continuously watch for certificate authorities issuing certificates against domains we monitor for our clients. When we see a certificate being issued we ensure that it was done so with proper authorization from our client.

Certificate Transparency monitoring alert
Example certificate transparency monitoring alert

All domains we monitor with HTTPS URLs are now automatically subjected to this oversight, similar to how we also monitor SSL settings continuously as well.

What prompted this? Here is some background:

Certificate Authorities And Trust

Certificate authorities form the base trust that lets SSL provide security to both end users and servers. Without that trust the whole system breaks down. In September 2015 Google discovered that Symantec had improperly issued certificates for google.com to people other than, well, Google. It was a bit of a scandal, but there appeared to be no malicious intent so the story made the rounds but never exploded into the main stream. However for industry insiders and security experts the implications were terrifying: The trust was broken, and this could have easily been worse (or have happened elsewhere and not been discovered).

Previous Compromises

gmail cert warning
Iranian users were likely the target

This was not the first time Google was the target of such an incident: In 2011 the Dutch certificate authority DigiNotar was compromised and issued massive amounts of fraudulent certificates to an attacker.

This attack was very malicious and huge in scope by comparison to the Symantec incident. It ultimately lead to the demise of DigiNotar.

The Birth of Certificate Transparency

The DigiNotar incident started the ball rolling for Certificate Transparency which is designed to allow secure verification and monitoring of certificate authorities issuing certificates. The goal is that companies like Google (and anyone else) can watch the CT logs and make sure certificates being issued were on their behalf.

Fast forward to last week, when it became known that the scope of Symantec’s improperly issued certificates increased drastically, from 23 to the thousands (though a lot of them were for domains that don’t exist). Symantec maintains there was no malicious intent or evidence of such but the potential for abuse, fraud, and compromise is staggering. It was a wake up call for both Symantec and CAs in general regarding their internal procedures and their transparency. The era of blindly trusting CAs to issue certificates properly has come to an end.

The Rise Of Certificate Transparency

The offer
It probably didn’t look like this
All of this prompted Google to make Symantec an offer it can’t refuse: Accelerate your certificate transparency work or we’ll black list your certificates on our browsers.

While all of this is troubling for Google in particular given its size, anyone using HTTPS to secure data between their users and services is just as much in need of this oversight.

With Google leaning heavily on Symantec regarding what they expect, other CAs will most assuredly follow these recommendations quickly to avoid a similar fate.

The good news is these changes benefit everyone and means more CAs reporting the certificates they issue using CT. We’ve in turn developed automated monitoring of this so our clients don’t have to worry about unknowingly being the victim of improperly issued certificates.