Keeping tabs on shady internet authorities -- What is Certificate Transparency?
Did you know somebody else could steal your domain name? Even if you've properly secured your site and gotten the right security certificates, it's still possible some people get to the wrong site. It's not easy, it involves nefarious tricks and exploiting errors, but a determined attacker can misuse your domain name. Certificate transparency is a way to prevent this.
A secure domain
A bit of background is necessary to understand why we need Certificate transparency. Let's take a quick look at how we create a secure domain; secure meaning the user feels confident they are on the right site, not an imposter. We need to do this because the internet is a somewhat open place. Between a user and a web server are a lot of other computers. Each of these stops in between is entrusted to do a couple of things:
- Not modify the data it's getting
- Send the data to the right place
Encryption solves the first problem. It's part of the HTTPS standard and verifies the integrity of server's message to the user.
The second criteria is a bit more problematic. Your data is travelling across a lot of unknown computers; these are owned and operated by strangers. The owner might be a telecom, a hosting company, or even a government agency. Any one of these could send your data wherever they want, instead of the intended server.
Though we know our encrypted data from the server can't be modified, we can't be sure we're on the right server. HTTPS also has a solution for this in the form of certificates. A certificate authority issues a certificate to a domain owner. They use the information in this certificate to sign and encrypt their data.
A certificate is a few numbers and textual information stored in a file. Your computer uses these values to establish the identity of a remote server.
The authority only issues the certificate to the proper domain owner, established through real-world means, and doesn't issue it to another party. So long as all the authorities are trustworthy, this system prevents impersonation.
Broken trust
Some certificate authorities are proving not to be reliable partners. Some have been breached or store data incorrectly, potentially allowing attackers to impersonate sites. Perhaps even more troubling, some authorities have shown to be corrupt.
Domain owners have flexibility; they can obtain their domain certificate from any number of authorities. It's an open marketplace preventing any one organization from having too much control. An increased number of authorities, however, increases the chance of one of them doing something wrong. Just because you only use one authority, any of them can still issue a valid looking certificate for your domain.
There are some mechanisms in place to prevent this. The browser vendors maintain lists of valid authorities and have techniques to track the source of a certificate. It helps identify major sites, like Google or Twitter, but not as well for lesser used or regional sites. Plus it's still prone to undiscovered authority corruption.
Certificate Transparency
Certificate transparency helps detect invalid registrations and corrupted authorities. It's a public log of all domain certificates issued by authorities. Anytime a certificate is issued it's logged in a public database.
How does this help? Domain owners can monitor the logs, spotting all registrations of their domains. Any time a certificate for one of their domains is registered, they get an alert. If the registration wasn't intended, they could track down the origin and raise an appropriate alarm if unauthorized.
Until recently this has been an optional mechanism. Nothing requires a certificate authority to add log entries. As of April though, Chrome requires all new certificates to use this mechanism, and both Firefox and Chrome have supported some checking for a few years. New certificates from authorities that don't use logging are rejected by Chrome, thus blocking access to the website.
Now, just having the logging isn't enough, a domain owner must monitor the logs to catch misuse of their domain. The logs are of course public; anybody can check them at any time if there is a question. Additionally, many of the popular sites and support sites you don't directly access are subjected to regular scrutiny by the security community and the browser vendors.
Certificate transparency plugs one more potential hole in online security.
Love this. Its pretty cool. Now all USPS employees can make use of liteblue portal to get all the benefits.