An introduction to Certificate Transparency 🌐️ ☑️
Well, I understand security terms are always interesting but boring when it comes to theory.
So don’t worry, I will try to make this article quite short and simple, yet interesting.
In the world of internet, various electronic devices exchange data everyday, wherein there is a flow of all types of data. In such scenarios, it’s very important to make sure that, the security and integrity of the data is well taken care of. Hence, came up a concept called Transport Layer Security(TLS), preceded by Secure Sockets Layer (SSL), which is a layer on the top of the network layer, to provide a secure connection between the devices(client and server, let’s say).
When you open your browser and type a web URL, to request a particular web page like https://google.com or https://youtube.com, etc, the ‘s’ in https, stands for that secure layer. In order to signify that well, you also see a padlock icon on the left hand side of the URL. The address google.com or youtube.com is also known as domain name. These names are mapping to a set of IP addresses of some servers hosting google’s website. This knowledge would be required later in the article to understand CT well.
If the URL does not have http ending with an ‘s’, you know that your connection is at risk.
Click on the padlock icon, and you see a pop-up saying “Connection is Secure”. Yay!! We are secure now.
Now click on the “Connection is secure” option to find the below, which says Certificate is valid.
Click on the certificate option to find the certificate. You can open the certificate to find, all kinds of data it holds. Going in details of each data would ruin the purpose of this article.
Every trustworthy website or the domain owner has a certificate, signed by a Certificate Authority. Certificate authority (CA) is a trusted organisation that issues digital certificates for websites and other entities. Just like when you complete a course, and fulfil some conditions you are issued some certificate saying that you have been certified for your learnings, from a trusted organisation, so that you clients, or employers can instil some trust in your work.
Similarly, when a browser sends a request to some server for a website through some domain name or website address or URL (https://google.com), then before any exchange of data, the server sends its certificate to the browser, signed by a CA. The client(browser, mobile, web, etc.) refers to its trust kit(a set of all the possible Root CAs across the globe) embedded in its operating system, and verifies the certificate through the one of the Root CAs embedded in the trust kit.
This process is a bit complex, under the Public Key Infrastructure(PKI). If you want to understand more about the PKI and the process in depth, you can go through this awesome article.
Once the certificate is verified, the client trusts the CA which has signed the domain owner’s certificate, thereby allowing the connection with the domain owner, followed by data sharing, and eventually you can see a web-page load on your browser. But this is still insecure, if a certificate authority is compromised, and certificates are issued to some fake domain owners, with real domain owners being the subject of the certificate maliciously. The client will still trust the CA, and allow the connections. But now, client will be talking to a malicious domain owner or server, with all your data at risk. This is also known as Man in the Middle Attack.
These attacks can mitigated using, public key pinning or certificate pinning, wherein we pin the exact leaf certificate in the client side, so that no malicious certificate under the name of the compromised CA can fool the client.
But this comes with another set of problems.
Certificates have some validity, which when expired, abandons the further connections totally. So it’s a headache to replace the certificate and make client app releases every now and then, thereby giving force app updates which is irritating to the users. You might have heard of certificate/TLS/SSL pinning. Haven’t you ? If not, you might want to understand that.
Certificate Transparency is an ecosystem wherein, all the certificates issued by an authentic CA is logged in some publicly available log servers. Each domain owner can run those log servers and get notified if some attacker compromises some CA to issue a certificate in the domain owner’s name as a subject of the certificate.
These log servers are highly secured based on Merkel-Trees such that the data logged here is only appended, and not editable. When a certificate issuance by a CA is logged in any of these log servers, the log server sends an SCT (Signed Certificate Timestamp) to the CA, which is then mentioned in the certificate signed by the CA for the subject (domain owner).
Now during the connection with a client, the domain owner sends its certificate along with the list of SCTs corresponding to the authentic log servers. The client now verifies the list of SCTs, instilling the trust that a corresponding log has been recorded for the certificate issuance.
We at Nuclei, are now trying to enter the Certificate Transparency ecosystem, as based on past experiences, we foresee TLS/SSL/Certificate Pinning as a real problem and a non-scalable approach in our use cases.
I hope, by the end of this article you understand the importance of certificate transparency.
More depth knowledge on certificate transparency and, how we are adopting it, in later articles.
Till then, eat your vegetables, do your exercises, stay healthy and safe.
Good bye 👋😄
Certificate Transparency : Certificate Transparency
An ecosystem that makes the issuance of website certificates transparent and verifiable. To the participants of the…
How CT Works : Certificate Transparency
Certificate logs are append-only ledgers of certificates. Because they're distributed and independent, anyone can query…