a magnifying glass sitting on top of a piece of paper
Sat May 27

Ensuring Trust: The Role of Certificate Transparency

Our heavy reliance on the internet nowadays makes it very important to us to prioritize security and trustworthiness while establishing online communication. One of the critical aspects to consider in this regard is the use of SSL/TLS certificates.

In our [previous article](https://www.binaryte.com/blog/why-are-digital- certificates-important), we explored the importance of digital certificates and their issuance process. If you have read the article, you might wonder whether utilizing a key pair for secure communication is sufficient. After all, aren’t Certificate Authorities trusted entities? In such a scenario, why do we still require Certificate Transparency?

It can be traced back to the prevalence of misuse and fraudulent activities in the past that has raised significant concerns regarding the trustworthiness of Certificate Authorities (CAs). In response to these challenges and limitations, alternative solutions were proposed. However, Google introduced a distinct approach called Certificate Transparency (CT) to tackle these issues head-on.

Why does CT exist?

On August 28, 2011, there was an incident involving the Dutch Certificate Authority (CA) called DigiNotar. DigiNotar was responsible for issuing SSL/TLS certificates, which are crucial for securing websites and establishing secure communication over the internet. The incident revealed serious vulnerabilities and breaches of trust in the certificate authority system.

In the DigiNotar case, it was discovered that DigiNotar had been compromised by hackers, who were able to issue fraudulent SSL/TLS certificates for various high-profile domains, including Google. These rogue certificates were used to conduct man-in-the-middle attacks, intercepting and decrypting encrypted communications between users and the affected websites.

The impact of the DigiNotar breach was significant. It undermined the trust in the SSL/TLS certificate system and highlighted the potential risks associated with relying on compromised Certificate Authorities. As a result, major web browser vendors, including Google, Mozilla, and Microsoft, quickly took action to revoke trust in DigiNotar certificates and remove them from their trusted root certificate stores.

The DigiNotar case served as a catalyst for reinforcing the importance of CT as a means to detect and prevent similar incidents in the future. It highlighted the need for increased visibility and scrutiny in the certificate authority ecosystem, ensuring that all certificates are properly logged and audited. Through CT, the industry can strengthen trust, detect certificate- related security breaches, and take swift action to protect users from potential threats.

SSL definition

Before going deeper into Certificate Transparency (CT), it is essential to have a clear understanding of SSL (Secure Socket Layer). SSL serves as a cryptographic protocol that ensures secure communication between two machines over the internet. In more simple terms, SSL utilizes encryption algorithms to encrypt transmitted data, rendering it indecipherable to any unauthorized party attempting to intercept it.

What is Certificate Transparency?

Certificate Transparency, also known as CT, is a framework that helps domain owners monitor the SSL activity associated with their domains. It achieves this by mandating certificate authorities to publicly log all issued certificates. This transparency allows domain owners to actively monitor and validate the SSL certificates used for their domains.

With Certificate Transparency, domain owners can easily distinguish between legitimate SSL certificates and mistakenly or maliciously issued ones. By actively monitoring the certificate logs, they can identify any unauthorized certificates that may pose a security risk. This enables prompt actions such as revoking unauthorized certificates and investigating potential security breaches.

Components of CT

That being said, the main idea behind CT is providing transparency and accountability in a tamper-proof and publicly auditable manner. Therefore, there are several key components and concepts related to Certificate Transparency.

Certificate Transparency Log

Once an SSL certificate is issued, the relevant certificate data is appended to the certificate transparency logs. These logs serve as a tamper-proof repository of certificate information, preventing any modifications or deletions of the logged data. The tamper-proof nature of CT follow several mechanisms to ensure integrity of the logged information, including:

Cryptographic Hashing

Each log entry, which represents a certificate, is hashed using a cryptographic algorithm. The resulting hash serves as a unique identifier for the entry and acts as a fingerprint of its content. By establishing an untrusted yet cryptographically verifiable log of all issued certificates (which will be further elaborated on later), it enables clients to verify the presence of certificates in the log, while servers can actively monitor the log for any instances of misissued certificates. If clients choose not to connect to websites that lack logged certificates, this approach forms a comprehensive solution, making it virtually impossible to issue a certificate without detection.

Merkle Tree Structure

The log entries are organized in a Merkle tree data structure. This hierarchical structure enables efficient verification of the integrity of the log by computing a cryptographic hash of the entire tree, called the root hash. Any tampering or modification of a log entry would cause a mismatch in the root hash, thus indicating a breach of integrity.

In the Merkle tree structure, each branch represents a cryptographic hash of the nodes beneath it. This convention may seem unconventional as trees typically grow upward, with the root positioned at the top and leaves at the bottom. However, due to the properties of cryptographic hashes, each node serves as a condensed summary of all the nodes beneath it. Any modification to a node would result in a change in the corresponding hash value. Consequently, the root of the tree acts as a comprehensive summary of all the leaves. This enables clients to efficiently verify the consistency of the tree by comparing a hash, ensuring that they have encountered the same tree structure.

Digital Signatures

Each log entry is digitally signed by the log operator. This signature verifies the authenticity and origin of the entry, ensuring that it has been added by an authorized entity. The digital signature also prevents unauthorized tampering with the log entries.

Consistency Proofs

Certificate Transparency logs periodically provide consistency proofs, which are cryptographic proofs that demonstrate the consistency and continuity of the log. These proofs assure that all log entries are accounted for and that no unauthorized modifications have taken place.

Certificate Transparency Monitors

Certificate monitors are individuals or entities with access to the certificate transparency logs. They can download and store the logs, allowing them to search through the data using various fields associated with the certificates.

They are responsible for actively observing and logging the SSL certificate information present in the Certificate Transparency logs. They continuously monitor the logs and collect data on newly issued certificates, certificate revocations, and other relevant details. Certificate monitors provide a real- time view of the certificate landscape and help identify any suspicious or unauthorized certificates. These monitoring services are typically automated and offer insights into the overall certificate ecosystem

Additionally, there are also some publicly available tools for inspecting CT logs: crt.sh by Sectigo, Censys Search, Cert Spotter by sslmate,etc.

Certificate Transparency Auditors

Certificate auditors fulfill a dual role as both clients and verifiers of log servers. Certificate auditors perform in-depth analysis and verification of the SSL certificates recorded in the Certificate Transparency logs. They go beyond monitoring by evaluating the certificates for compliance with industry standards, such as proper certificate issuance procedures and adherence to security best practices. Certificate auditors conduct thorough audits to ensure the authenticity and legitimacy of certificates. They may also verify if the certificates were issued by trusted certificate authorities and assess if any certificates have been mistakenly or fraudulently issued.

Certificate Signing Request (CSR)

In [another article](https://www.binaryte.com/blog/digital-signature- explained), we explain how the public and pair key are used while requesting the digital certificate. Hence, we will focus on another aspect about the Certificate Signing Request.

In the preceding section discussing the certificate monitors, we highlighted the presence of several fields associated with certificates. Hence, when users request an SSL Certificate Signing Request (CSR), it is mandatory for entities to supply various fields to submit the essential information.

The following is a compilation of fields associated with the Distinguished Names (DN).

Common Name (CN) : The Fully Qualified Domain Name (FQDN) of the entity for which the certificate is being requested. For example, this website uses the domain name “www.binaryte.com” or “binaryte.com”. Nevertheless, it is often incorrectly filled with the organization’s name, which is incorrect.

Organization Name (O) : The legal name of the entity or the organization (i.e. Google, Inc). It should not be abbreviated, and it is mandatory to include the corporate identifier such as Inc., Corp, or LLC.However, if no associated company with the request, simply set the field with “None” or “N/A”.

Organizational Unit (OU) : The name of division or department within the organization (i.e. IT).

Locality (L) : Name of the city, village, town or locality where the organization or entity is located (i.e. Sandymoun)

State (S) : Name of the state province, state or region. This shouldn’t be abbreviated as well (i.e. Dublin).

Country (C) : The country where the requestor is located (i.e. Ireland or IE).

Conclusion

Certificate Transparency has brought a new level of security and trust to the digital world. By leveraging publicly accessible logs, cryptographic hashing, and active monitoring, Certificate Transparency (CT) offers a comprehensive solution to combat misissued and fraudulent certificates. It ensures that certificates can be trusted and verified by bringing transparency, accountability, and integrity to the certificate ecosystem.

As the demand for secure online communication continues to grow, embracing Certificate Transparency becomes imperative. Organizations, certificate authorities, web browser vendors, and users must collectively adopt CT to foster a more secure and trustworthy digital environment. By doing so, we can fortify the foundations of SSL/TLS certificates, protect user privacy, and maintain the integrity of encrypted communications.

You might like

Meilisearch vs Elasticsearch: Which One Should You Choose?

Trying to decide between Meilisearch vs Elasticsearch? This comprehensive comparison will help you choose the best search engine for your website or application. Learn about the features, performance, ease of use, and more of Meilisearch and Elasticsearch. Make an informed decision and boost your search results today.
Server-Side Request Forgery: Definition, Mechanism, and Prevention

Learn what SSRF is, how it works, and how to prevent it with secure coding practices and network access control. Don't let SSRF compromise your web application security. Read now and protect your resources!