Friday, December 29, 2023

Monitoring Certificate Transparency Logs


What is Certificate Transparency?

Wikipedia defines it as:

Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

Essentially what this means is that whenever a Certificate of Authority (CA) issues a SSL certificate for a website, they must submit those certificate details to at least two public logs.

Why should my organization monitor CT Logs?

By monitoring CT logs, your organization can quickly identify any rogue certificates issued for your domain(s).  With simple monitoring, your defenders will be able to detect malicious or fraudulent certificates and take the appropriate actions to have them revoked before they can be used in attacks. 

Some providers, such as Cloudflare, how offer this as a service.  However, there are several drawbacks with this.  Firstly, your domain must be hosted and managed by Cloudflare.  Second, unless you have upgraded to a paid plan, the notifications are limited to the email address of the primary account holder.  And lastly, notifications are limited to email only.

However, there is a very simple way to achieve the same results, leveraging a couple freely available services, without having to make any changes to your DNS infrastructure. 

How can we do this on the "cheap"?


The first step is to use the crt.sh tool, provided by Sectigo. Simply navigate to this site, enter the domain you would like to monitor, perform the search, and then click the RSS feed button.  Then copy the resulting URL.




Next you will want to sign up for a free account on If This Then That.  Once that is completed, the next step is to create a new applet.   You will select "RSS Feed" and create a "New feed item" trigger.   Use the URL you previously copied from the crt.sh tool and create the trigger.


Now the fun part begins.  The IFTTT tool provides a plethora of notification options.  You can send Alerts into a Slack channel, a Microsoft Teams chat room, or email your security team.   For demonstration purposes, I will simply send an email to myself:




Finally, provide a memorable name so the purpose of the applet is clear, and you are all set!




What to do if a rogue certificate is detected?

Luckily, Cloudflare has very helpfully provided a list of support contacts for the major Certificate of Authorities.  



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)