Starting April 28, 2018, AWS will start to support Certificate Transparency. I am new to this, here are somethings that I learned so far.
What exactly is certificate transparency?
Certificate Transparency framework is a project that is initially launched by Google.
What problems does certificate transparency solve?
It is designed to solved some flaws in the currently SSL certificate systems , such as mistakenly issued certificates, maliciously acquired certificates.
How does certificate solve the problems?
- Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
- Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
- Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
How does certificate transparency work?
The framework has three components: Certificate logs, Monitors and Audits. All the three components work together to allow anyone observe and verify newly issued and existing SSL certificates in nearly real time.
- Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates. Anyone can submit certificates to a log, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party.
- Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities.
- Auditors are lightweight software components that typically perform two functions. First, they can verify that logs are behaving correctly and are cryptographically consistent. If a log is not behaving properly, then the log will need to explain itself or risk being shut down. Second, they can verify that a particular certificate appears in a log. This is a particularly important auditing function because the Certificate Transparency framework requires that all SSL certificates be registered in a log. If a certificate has not been registered in a log, it’s a sign that the certificate is suspect, and TLS clients may refuse to connect to sites that have suspect certificates. An auditor could be an integral component of a browser’s TLS client, a standalone service, or a secondary function of a monitor. Anyone can create an auditor, although it’s likely that CAs will run the bulk of all auditors because they are an efficient way to gain insight into the operational integrity of all CAs.
References:
https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/
https://www.certificate-transparency.org/
Jackie Chen's IT Workshop 