Certificate Transparency: Public Logs for SSL Certificates

Why Certificate Transparency Was Created

In 2011, the Dutch CA (Certificate Authority) DigiNotar was compromised by attackers. Over 500 fraudulent certificates were issued, covering domains belonging to Google, Mozilla, Skype and even government agencies. These certificates enabled MITM (Man-In-The-Middle — interception of encrypted traffic without the user's knowledge) attacks. The incident took weeks to detect because no public registry of certificates existed. Certificate Transparency (CT) is the technical response to this problem.

How CT Works

The mechanism relies on public audit logs (CT Logs). When a CA issues a TLS (Transport Layer Security — the HTTPS encryption protocol) certificate, it submits it to multiple CT Logs. These logs, cryptographically immutable (based on Merkle trees — a hash structure allowing integrity verification without downloading the entire log), return an SCT (Signed Certificate Timestamp — a signed cryptographic timestamp proving registration). This SCT is embedded in the final certificate or delivered via TLS.

Anyone can therefore verify that a certificate was logged before being used.

The Requirement Since Chrome 68 (2018)

Since Chrome 68 (July 2018), Google requires every TLS certificate to include at least two SCTs from distinct CT Logs approved by Google. A certificate without valid SCTs is rejected by Chrome with a security error, making the site inaccessible to the majority of users. Apple has imposed similar requirements for Safari since 2018.

Monitoring Your Domain with crt.sh

crt.sh is a public search engine that indexes all CT Logs. By entering your domain name, you obtain the complete list of all certificates issued for that domain, including issuance dates, the issuing CA, and covered subdomains. It is a valuable tool for:

• Detecting certificates issued without your authorization (shadow IT, attacks)
• Discovering unlisted subdomains (attack surface reconnaissance)
• Verifying that a certificate has been properly logged

Continuous Monitoring and Alerts

Occasional checks are not enough. Services like Certificate Transparency Monitor (Facebook), Cert Spotter (SSLMate), or SIEM (Security Information and Event Management — a security event correlation system) integrations can send real-time alerts whenever a new certificate is issued for your domain. This is an early detection measure against CA compromise and internal issuance errors.

Audit Your Domain Security with TheSiteFuse

A fraudulent certificate on your domain can go unnoticed without active monitoring. Run a free audit to check the status of your certificates, detect anomalies in CT Logs, and strengthen the security of your HTTPS infrastructure.