As we have stated previously, website owners have a concern that an attacker can have a certificate issued for their domain name. We now have two systems which will help monitor certificates for domains: Certificate Transparency (CT) and Certificate Reputation. At the start of 2015, most certification authorities (CAs) support CT as requested by Google. CT works for extended validation (EV) SSL certificates and will allow all EV certificates to be monitored.

In March 2015, Microsoft deployed Certificate Reputation. Through the use of Windows, Internet Explorer and other applications, certificate data for all types of SSL certificates is collected and provided to Microsoft. In addition, Microsoft has stated that they don’t collect any information that could be used to identify the user. The certificate data is only provided to users who can confirm ownership of the domain. The data is provided through Bing Webmaster Tools and shows data similar to the image below.

Track Certificates

The data includes identity information such as the name of the server (Host), the name of the entity (Issued to), and the name of the CA (Issued by). It provides data on how long the certificate has been available (First seen and Last seen) and its validity (Expiry date). It allows the user to download the certificate (Download) and report fraudulent certificates to Microsoft (Report).

In the short-term, there appears to be advantages of Certificate Reputation as it works for all types of SSL certificates and not just EV. It works for all CAs, as the CAs do not need to participate in the Certificate Reputation program. Certificate Reputation is also available to all administrators as Microsoft is providing the information through a portal.

From the disadvantage side, it only provides data from Windows and its applications; however, this should provide a substantial use base. We are seeing more occurrences of fraudulent certificates being issued, such as the recent problem with CNNIC. It is recommended that domain owners use Certificate Reputation to monitor their domains. In the future, we expect that Microsoft will upgrade the service to provide email notification when a new certificate has been found.

Re-posted from the CA Security Council blog: https://pkic.org/blog/