Recently we\u2019ve been covering a lot of news about Certificate Transparency, namely that Google is about to mandate it in October 2017<\/a> and that Mozilla has announced it will support it<\/a>.<\/p>\n So what exactly is Certificate Transparency? Let\u2019s start from the top.<\/p>\n SSL certificates help keep your visitors secure. They provide encryption and server authentication which are crucial to securing communication with your website\u2019s servers. SSL certificates indicate to an end user that they are communicating with the legitimate server hosting that site, and not an imposter.<\/p>\n However, the SSL ecosystem is incredibly complex, and as an industry, we have to ensure strict practices are followed in order to keep things working properly. In the past, there have been deviations from these practices that have threatened to compromise the SSL industry as a whole.<\/p>\n The issue is that SSL has an incredibly complex threat model\u2014which is a description of the possible attacks that a system is vulnerable to. This means that multiple mechanisms are needed to ensure the SSL ecosystem is optimally secure. Certificate Transparency is one of those mechanisms\u2014it attempts to address a specific threat: misissuance<\/strong>.<\/p>\n Misissuance occurs when a Certificate Authority (CA) issues an SSL certificate improperly. This may mean that the CA included incorrect information in the certificate, issued the certificate to someone who did not represent the organization or domain, or was even compromised.<\/p>\n Certificate Transparency (CT) is a mechanism which helps domain owners and industry watch dogs detect misissuance. It is a publically-available log of certificates that have been issued. This log lists all the certificate\u2019s information so that it can be inspected by anyone with an interest. In practice there are multiple logs, which is needed due to the scale of the SSL ecosystem \u2013 millions of certificates are issued each year. Each log has to follow defined standards on what and how it stores the certificates.<\/p>\n Organizations and people can then search the logs (or set up automatic notifications) to see what SSL certificates exist for the sites they own.\u00a0 This means that CT is not \u201cautomatic\u201d in the traditional sense. Even if all SSL certificates were immediately logged after issuance, the domain owner would still need to be looking for certificates in the logs to spot any that may be misissued.<\/p>\n<\/span><\/span>\n Now, when I say someone needs to search the logs, I don\u2019t mean they have to go line by line looking through everything. There are multiple services that make it easy for an organization to do this. Websites like crt.sh<\/a> support advanced searching criteria so you can look at only what is relevant to you. Other services allow you to set up notifications, so you can be alerted as soon as a new potential match occurs. Most of these tools search all the CT logs that exist.<\/p>\n It\u2019s important to understand that Certificate Transparency only allows detection of misissued certificates after the fact. CT cannot prevent misissuance. It also cannot work autonomously. The legitimate domain holder needs to be looking at the log information in order to know if there are any misissued certificates out there.<\/p>\n It may also be difficult to know if misissuance is occurring if there is a disorganized certificate provisioning system in place. For instance, a large university which delegates sub-domains to different departments or projects may have a hard time knowing if an issued certificate is legitimate or not if they do not have well-defined practices.<\/p>\nSearching CT Logs<\/h2>\n