HACKER Q&A
📣 mawise

Monitoring for HTTPS Certificate Issuance?


Hi HN,

I've been using Let's Encrypt for HTTPS certificates and I think it's great. However, the ease-of-use means that anyone who can get my DNS pointed to them (briefly) could request a certificate. Alternately put, if anyone can become a MITM (cose enough to my end of the network topology), they should be able to request a valid certificate to hide that fact.

I don't know if this is a real concern. In practice it means Cloudflare, or Amazon, or my ISP would probably need to be complicit.

Are there any services that monitor issuance of HTTPS certificates? For example, if the CAs (Let's Encrpyt and DigiCert and Comodo etc) all publish a firehose of issued certificates, then this service could take the domain that I own, send me an email whenever anyone issues a cert for my domain. I imagine the publishing side of this might not even exist, and I don't know how you would audit that _all_ CAs are publishing.

Do any of you know if something like this exists? Or is this another solution in this space that people rely on?

Thanks!

  👤 ivanr Accepted Answer ✓
There's already a system in place to record most public certificates in a way that facilitates monitoring and auditing. It's called Certificate Transparency (CT); you'll find more about it at https://certificate.transparency.dev Google designed it and made it a requirement for certificates to be considered trusted in Chrome. It's since been adopted by Apple and Microsoft.

The basic idea is that participating CAs must publish all certificate information to multiple CT logs. For every issuance they thus receive several proofs of logging [SCTs, one for each CT log they submit to). They then embed those proofs in the actual certificates, enabling browsers to distinguish published certificates from those that haven't been. If you'd like to see the SCTs, go to this page https://www.hardenize.com/report/hardenize.com/1643337370#ww... and open up more certificate information by clicking on "View details". The SCTs are under the "Certificate Transparency" heading.

If you're talking about your own personal web sites, I don't think misissuance is something you need to worry about; someone will need a reason to go after you. For large organisations with large infrastructures, it's another story.

There are free services out there that will send you a notification whenever a new certificate is issued for one of your properties. IIRC, Facebook used to operate one and so does Cloudflare. I haven't tried them myself. It's fun when you get the first couple of notifications but quickly becomes noise. The real challenge is being able to filter out the regular issuance and highlight the unusual ones.

Disclosure: I am the founder of Hardenize, which helps companies handle their certificate infrastructure and we offer CT monitoring as part of our product. We provide free configuration assessments to everyone and without registration from our homepage https://www.hardenize.com

👤 detaro
The firehose of all certificates is known as "Certificate Transparency", and all CAs have to participate. Various monitoring services monitor it, sadly almost exclusively in paid offerings.
👤 HiryuSingh
Try https://certstream.calidog.io