Certificate Transparency — The bright side and The dark side

This post is the first in a series of 3 posts about this technical but extremely important topic. We will update the link to the second post once we publish it.

At Appsecco, we look at the world pragmatically, we are always keen to understand all the aspects of anything that is relevant to security. So we decided to look at Certificate Transparency, a Google initiated project.

What is Certificate Transparency?

Certificate Transparency project or CT in short is meant to log, audit, and monitor certificates that Certificate Authorities (CA) issue. The primary aim of this project was to prevent CAs from issuing public key certificates for a domain without the domain owner’s knowledge.

Before we proceed, it will be helpful to revisit key terms:

Certificate Authority
A Certificate Authority (CA) is an entity that issues digital certificates. A CA is a trusted third party that is trusted by both the owner of the digital certificate and the party relying upon the certificate. Thus CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place.

Digital Certificates
Digital Certificates are verifiable small data files that contain identity credentials to help websites, people and devices represent their authentic online identity. In the context of this post, we care about SSL/TLS certificates which are a type of Digital Certificates that binds the ownership details of a web server to cryptographic keys.

Why did Google come up with Certificate Transparency?

Google’s Certificate Transparency project tries to fix several structural flaws in the SSL/TLS certificate system, especially the abuse of Certificate Authority. CT project has come to light and became compelling because of the incidents like following:

  • In December, 2013, Google announced that they noticed unauthorised digital certificates issued for several Google domains by an intermediate CA linking back to ANSSI, a French Certificate Authority(that operates with French intelligence agencies). The ANSSI attributed the incident to “Human Error”. Google pointed out the importance of CT in that announcement.

This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical.

  • In August, 2011, Google announced that they noticed fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google. Attackers compromised DigiNotar’s infrastructure to issue hundreds of unauthorised digital certificates.

Certificate Transparency — Where is it now?

CT is now an Internet Engineering Task Force (IETF) open standard for monitoring and auditing such digital certificates. Through a system of certificate issuance logs, monitors and auditors, CT allows website users and domain owners to identify mistakenly or worse maliciously issued certificates. This aids in identifying unauthorised CAs.

The idea behind CT is to provide more transparency around the issuance of x.509 certificates and better protect the users.

References


Thank you for reading this article. If you enjoyed it please let us know by clicking that little heart icon below.


At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.

If something is accessible from the internet or a person’s computer we can help make sure it is safe and secure.

Appsecco

Making sense of application security for everyone. Follow us to get a pragmatic view of the landscape including hacks, attacks, modern defence techniques. We cover ideas on securing applications, training the modern workforce in secure development and testing.

Bharath

Written by

Security researcher, Stargazer and a story teller.

Appsecco

Making sense of application security for everyone. Follow us to get a pragmatic view of the landscape including hacks, attacks, modern defence techniques. We cover ideas on securing applications, training the modern workforce in secure development and testing.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade