CT monitor for essendi xc – simplicity with safety

Sending confidential messages via email or social media platforms, online banking, as well as shopping on the internet are among the services used daily by a large number of people. Users rely on the fact that no one can gain unauthorized access to their personal data. For this reason, this data is transmitted in encrypted form using various security measures and cryptographic methods.

Digital Certificates for Greater Security
In addition to data encryption, it is also important to ensure that sensitive data is truly transmitted to the intended communication partner. The recipient’s identity is therefore verified using digital certificates. These contain the communication partner’s public key and additional information proving their identity. Digital certificates are issued by special certification authorities, which guarantee the correctness of the information with their signature. Certificates have a defined validity period and must be renewed once they expire. If they are issued incorrectly, they can be revoked. Constantly increasing security requirements are resulting in ever shorter validity periods.

Forged certificates can cause significant financial or reputational damage to a company. They can, for example, be used to gain unauthorized access to company or customer data, or to operate phishing sites. Phishing sites are fake websites that resemble the original company website and are intended to trick users into disclosing sensitive data such as passwords or payment information.

They can also be used to carry out so-called man-in-the-middle attacks, in which an attacker intercepts the communication between client and server and pretends to each party to be the other.

Certification Authorities as Trust Anchors
Certification authorities are therefore the trust anchors for encrypted communication on the internet. By issuing digital certificates, they confirm the identity of individuals or organizations. A large part of encrypted communication on the internet is thus based on digital certificates and trust in the issuing certification authority (CA). However, this only works as long as they do not issue certificates with false information, do not make mistakes during the issuance process, and cannot be secretly exploited by attackers to issue forged certificates. If any of these conditions are not met, the entire secure communication on the internet is at risk. Unfortunately, in the past, certification authorities have not always operated flawlessly. To ensure that communication over the internet remains secure, a solution had to be created.

Certificate Transparency Standard for Greater Transparency
Because of their crucial role in confidential communication on the internet, it is necessary to be able to monitor the work of certification authorities. This is precisely why the Certificate Transparency Standard was developed. By means of public directories of issued certificates in the form of CT logs, it aims to make the work of certification authorities more transparent.

Since security incidents have repeatedly affected domains of popular and frequently used services, these providers drove the development of the Certificate Transparency Standard. The standard stipulates that all certificates issued by certification authorities must be entered into publicly accessible directories. This enables real-time monitoring of the certificates issued by CAs. Through this real-time monitoring, wrongly issued certificates or operational errors at certification authorities can be detected more quickly, and countermeasures can be initiated faster.

Automated Verification of CT Logs
These directories are provided in the form of so-called CT logs. A CT log is a network service that offers a cryptographically secured and publicly accessible directory of issued certificates. The CT standard stipulates that all certificates issued by a CA must be recorded in a CT log. Entries can only be added to a log and can no longer be deleted or modified afterward (append-only). The correct behavior of a log can be verified through cryptographic proofs. CT logs are typically operated by CAs, internet service providers (ISPs), or other interested parties. Each log has a standardized interface through which certificates can be added, entries queried, and cryptographic proofs carried out. The forgery of certificates is not detected or prevented by the CT logs themselves. Rather, the logs provide the data basis for carrying out such checks.

Monitor
The task of checking whether a forged certificate has been issued is handled by monitors. They retrieve new entries from existing CT logs at regular intervals and examine the information they contain. Such a monitor can, for example, be operated by companies or domain owners to detect whether a forged certificate has been issued for their domain. Typically, the monitor is offered as a subscription service in which domain owners provide their domain name and contact address and are notified by the monitor whenever a certificate is issued for their domain.

Auditor
For CT logs to provide added value for internet security, their correct behavior must be verified. This task is carried out by the auditor, which can be either a standalone service, part of a monitor, or integrated into a browser. For example, it checks the consistency of a log and thus ensures that all certificates that should be included in the log are indeed present.

essendi xc – Certificate Management the Easy Way
To simplify the management of digital certificates and the associated processes within a company, the certificate manager essendi xc was developed. Its central dashboard provides an overview of all certificates within a company. It also contains information relevant to certificate management, such as the expiration date or the installation location of each certificate.

For the initial import of certificates into xc, a network scan is offered that automatically detects certificates present in the network. A core component of the application is the monitoring function, which warns users in good time before certificates expire and thus facilitates risk management. Administrative tasks such as requesting, issuing, or renewing certificates can be largely automated via xc. The process of requesting certificates is simplified through predefined certificate profiles. These profiles define internal company conventions, enabling certificates for different application areas to be requested more quickly while preventing the accidental issuance of incorrect certificates. The data entered in the profile is then sent by xc to the CA.

To make certificate management even more secure and convenient, the existing certificate monitoring functionality of essendi xc has been extended with a CT monitor. The data provided by CT logs is periodically retrieved and checked to determine whether an entry for a forged certificate of an xc user’s domain has been created. If such an entry is found, the xc user receives an alert message.

With the monitoring component, xc will in the future not only provide users with information about the company’s certificate inventory, but also monitor certificate issuance by all CAs to deliver information on certificates that concern the company’s domains or the company itself.

essendi xc with CT Logs Monitor – Simple and Secure
Before the introduction of the Certificate Transparency Standard, it was practically impossible to detect whether a forged certificate had been issued for a user’s domain. With the help of CT logs, however, so-called monitors can now notify domain owners whenever certificates are issued for their domain. To achieve this, all new entries in all CT logs are periodically retrieved and checked. In this way, forged certificates can be detected and revoked in a timely manner, before they are able to cause significant damage.

Such a CT monitor was developed by essendi it to extend the functionality of the certificate manager essendi xc. The CT monitoring component consists of two standalone applications for retrieving and verifying log entries.

The clear separation between retrieving and verifying entries ensures that the essendi xc certificate manager does not communicate directly with a component connected to the internet. The CT monitoring application, built from these two subcomponents, is connected to the xc certificate manager via an interface. Through this interface, the CT monitor receives the list of domains it is to monitor and can send messages to the mailbox of a designated xc user if an entry for one of these domains is found.

Messages are classified as either informational or warning messages, since entries for certificates legitimately requested by the user are also retrieved from the Certstream server. The distinction between informational and warning messages is made using CAA records, which can be queried from a DNS server and define which certification authorities are authorized to issue certificates for a domain. When checking the log entries, the CT monitor compares the issuer with the list of authorized certification authorities. If the issuer is listed in the record, an informational message is sent; otherwise, the user receives a warning message.

Conclusion
With the integration of the CT monitoring component, it is now possible for the first time to automatically detect forged certificates for a user’s domain that were not requested through xc. In addition, entries for forged certificates are detected promptly and can therefore be revoked before they cause any damage. With these functions, the CT monitor provides added value for a company’s IT security and risk management. The faster forged certificates are detected, the faster countermeasures can be initiated. The CT monitor not only sends alert messages in the case of forged certificates, but also provides information when certificates requested by the user have been entered into the CT logs. In this way, the component increases awareness of the Certificate Transparency Standard and the transparency of the certificate request process.

Get to know essendi xc in a non-binding live demo.

essendi it is a software company with offices in Schwäbisch Hall and Munich. We develop modern IT solutions at the current technological and security level. Our specialization lies in IT security and certificate management.

Our company looks back on two decades of experience in the IT industry and has successfully established itself in the market since its founding in 2000.

We believe that with our customized software solutions and IT services, we can simplify and connect your business processes.

Our company philosophy includes looking beyond the developer’s perspective and putting ourselves into the everyday practical reality of our customers. To achieve this, we work closely with each other and with you, communicating honestly and openly.

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.