Facebook helping devs keep up with TLS certificates
Crawling transparency logs, so you don't need to
Facebook has expanded its year-old certificate transparency project to make it easier for developers to watch for dodgy certs.
The Social Network™ first started offering tools so people didn't have to comb through transparency logs themselves. As the company noted in this post, the monitoring tool offered a search engine that let users check certificates issued for domains and subdomains, and subscribe to alerts if anything changed.
With 40,000 new certs landing in more than 20 transparency logs each hour, keeping track of everything needs “the same backend system that powers the Facebook Graph”, the company said.
Explaining the update, Bartosz Niemczura and David Huang wrote that “a single breach or internal abuse of any CA can result in issuance of publicly-trusted TLS certificates that can be used to perform man-in-the-middle attacks on any website.”
The three developer tools Facebook launched to help developers work with its CT monitoring framework are Web hooks, a Graph API, and push notifications.
Webhooks let developers register a hook and define the domains they want monitored: “Every time we detect a new certificate issued for these domains, we'll send a request to the external endpoint specified by the developer with information about the certificate.“
The Graph API is designed to simplify querying certificates, returning the cert metadata for all domains matching the query.
As for push notifications, that's pretty much self-explanatory, and it's a default setting on the certificate transparency tools.
Niemczura and Huang also wrote that developers should watch out for stronger enforcement of CT logs in the future: Facebook is now implementing the HTTP “Expect-CT header” Internet Draft, meaning that “compatible web browsers will enforce that certificates used to access Facebook must previously be logged to public CT logs.” ®