Certificate Transparency is an open framework which helps log, audit and monitor publicly-trusted TLS certificates on the Internet. This new tool which is developed by Facebook lets you search for certificates issued for a given domain and subscribe to notifications from Facebook regarding new certificates and potential phishing attacks.
This new Facebook CT Tool works by continuously fetching and storing data from a set of known public Certificate Authority CT logs. You can even use their API to search the data store for newly issued certificates, or to subscribe domains for certificate alerts and phishing alerts.
Their API consists of the following endpoints:
- /certificates – Search for newly issued certificates.
- /app/subscribed_domains – Subscribe/unsubscribe domains for newly issued certificate alerts, or get a list of domains subscribed for certificate alerts.
- /app/subscribed_domains_phishing – Subscribe/unsubscribe domains for phishing alerts, or get a list of domains subscribed for phishing alerts
Certificate Transparency aims to remedy the certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:
- Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
- Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
- Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities.
To help you take advantage of this framework, Facebook developed a free monitoring tool to help you discover any certificates that have been newly issued for specific domains and allows anyone to log, audit and monitor publicly-trusted TLS certificates newly issued by any CA.