Facebook tool helps find malicious SSL certificates

Facebook has released an internal tool that makes it easier for enterprise IT teams to search public Certificate Transparency logs for all certificates associated with their domains

Certificate Transparency maintains publicly accessible logs listing TLS/SSL certificates, giving IT teams a way to track all the certificates associated with their domains. Until recently, searching CT logs has been difficult and costly, but Facebook's new tool makes it easier for IT teams to find certificates they didn't know about.

The previously internal-only Certificate Transparency Monitoring Developer tool lets anyone search major public CT logs for all certificates issued against a particular domain. Site owners can sift through the search results to identify certificates that were unknown (but are still legitimate) and flag those that were fraudulently or mistakenly issued so that they can be revoked.

Facebook has been using the tool to monitor Certificate Transparency logs for its domains and subdomains over the past year "and found it very useful," said Facebook security engineer David Huang. "We are releasing it so that developers and site owners can now manage Certificate Transparency logs for their domains."

Developed by Google, the CT framework outlines how certificate authorities and site owners submit records of TLS certificates to public logs, audit the logs to ensure the certificates are properly added, and monitor the logs to look for new entries. CT addresses several certificate-related threats, including mis-issued certificates, stolen certificates, and rogue certificate authorities because organizations will be able to detect problematic TLS records in the logs. Certificate Reputation is another approach on how enterprises can identify misused certificates listed in Certificate Transparency data.

Digital certificates establish trust on the internet by telling users the websites and applications they are trying to access are owned by the organization named on the certificate and not by an imposter, and that all the information is being transmitted securely so that unauthorized parties don't have access to the data. For CT logs to be valuable, people need to query and monitor the logs regularly.

At the moment, there are more than a dozen public CT logs, and Facebook's Huang says the tool has information for more than 50 million certificates. That's a lot of data for IT to manage and sift through.

Facebook's tool periodically fetches the data from all of the public CT logs and syncs them before performing the user-supplied query. Users who subscribed to a domain feed will receive email notifications whenever the tool finds new entries in the synced list. Right now, the notifications are generated on a certificate level, so if multiple certificates have been issued, IT would be alerted for each one.

"If you ever receive a notification that a CA issued a certificate that you didn't request for a domain you own, you will likely want to contact the CA, make sure your identity is not compromised, and consider revoking the certificate," Facebook software engineer Bartosz Niemczura wrote in the announcement describing the tool.

There are no restrictions on how the tool is used, or who can use it. Since the CT logs are public, anyone can search the logs for any domain. However, since certificate authorities are not required to adopt Certificate Transparency, some domains may not have complete certificate information in the logs. That will change, as Google will require certificate authorities and site owners to publish certificates to CT  logs by October 2017 or risk having the Chrome web browser block access to those sites. The tool will return more comprehensive results as CT usage becomes more widespread, Huang said.

An unexpected certificate in the CT logs doesn't automatically imply an attack or a mistake. Facebook found a handful of certificates the security teams hadn't known about which turned out to be legitimate. IT teams at organizations who regularly work with external partners such as hosting providers and software-as-a-service companies may wind up discovering certificates managed by these external partners.

"An unexpected result is not necessarily malicious," Huang said.  IT can use this tool as an internal audit tool to track down all the certificates issued to the organization and maintain the most current list.

Facebook plans to look at user feedback to add new features, Huang said, adding that the tool was "just the first step in helping people use Certificate Transparency data."

Copyright © 2016 IDG Communications, Inc.