MICHAEL REBER

What are Certificate Transparency Logs?

Certificate Transparency (CT) logs are publicly accessible databases that store records of TLS (Transport Layer Security) certificates issued by Certificate Authorities (CAs). TLS certificates are essential for establishing secure connections on the internet, as they verify the identity of a website and encrypt data transmitted between a server and a client. When a TLS certificate is issued, it is added to a CT log, which is a public record of certificates tied to a domain name.

The primary goal of CT logs is to improve security and transparency in the certificate issuance process. By making certificate records publicly accessible, CT logs allow anyone—from companies and security researchers to the general public—to monitor which certificates have been issued for their domains. This visibility makes it easier to detect potentially fraudulent or misissued certificates, ensuring that a company's online identity is protected against misuse by attackers posing as legitimate websites.

Why "Security Through Obscurity" Isn't Enough

Some may think that security for subdomains can be maintained simply by keeping them hidden or “obscure,” under the assumption that “if it's not listed on Google, it's secure.” However, this approach—known as "security through obscurity"—is not effective for several reasons:

• Subdomains are Not Truly Hidden: CT logs make subdomains publicly visible, as certificates are issued for each specific subdomain. This means that even if a subdomain is not indexed by search engines, its existence may still be discoverable through CT logs or other public records. Tools and services exist specifically to monitor CT logs, making it trivial for attackers or curious individuals to find subdomains they otherwise might not have known about.
• Increased Risk of Attack on Unsecured Subdomains: By relying on obscurity, companies may inadvertently overlook the security of certain subdomains, especially test environments or internal systems. Attackers can identify and target these unprotected subdomains via CT logs, exploiting any weaknesses they find. Even non-public-facing test systems are susceptible to data breaches, unauthorized access, or being used as entry points into a company's larger network.
• Compliance and Best Practices Require Active Security: Properly securing applications and systems—especially those accessible over the internet—is a fundamental requirement for meeting compliance standards and security best practices. This applies to public and non-public environments alike. Trusting that unlisted subdomains will remain undiscovered often leads to vulnerabilities that put company and user data at risk.

How Certificate Transparency Enhances Security and Accountability

CT logs create a system of checks and balances by enabling the monitoring of all TLS certificates issued for a domain. This transparency can prevent attackers from obtaining rogue certificates that impersonate a company's website. Without CT, an attacker who compromised a Certificate Authority could create a valid-looking certificate for a target domain, intercepting or manipulating traffic in a classic “man-in-the-middle” attack. With CT logs, unauthorized certificates become easier to detect, and companies can act quickly to revoke them and mitigate any damage.

Risks of CT Logs for Sensitive Information

While CT logs are valuable for security, they can also reveal information that companies may wish to keep private. Each entry in a CT log contains details about the domain, including subdomains, associated with a certificate. For instance, if a certificate is issued for an internal system or test environment like test.internal.company.com, this subdomain will be visible in the CT log. This exposure can inadvertently reveal details about internal infrastructure, development stages, or upcoming projects, potentially providing competitors or attackers with insights they otherwise wouldn’t have.

Securing All Systems, Including Test Environments

In an era where subdomains are easily discoverable, companies must prioritize securing all subdomains and environments—public-facing and internal alike. Test systems and internal tools, if accessible over the internet, should follow the same rigorous security protocols as production systems. This includes ensuring TLS encryption, enforcing access controls, and regularly reviewing access logs. Assuming that certain environments are “safe” because they're hidden is a dangerous mindset that often leads to critical security oversights.

In conclusion, CT logs serve as an essential tool for maintaining the integrity of online identities, protecting against fraudulent certificates, and ensuring transparency. However, they also highlight the importance of securing all systems comprehensively. Security through obscurity does not prevent attackers from finding subdomains; only active and thorough security practices will provide the necessary protection.