Skip to content

SSLMate Blog

Introducing Cert Spotter: Easy Certificate Transparency Monitoring from SSLMate

Portrait of Blog Author

Andrew Ayer
SSLMate Founder

SSLMate is excited to announce the launch of Cert Spotter, an easy-to-use Certificate Transparency log monitor that helps you detect certificates for your domains. Cert Spotter helps you track down undocumented certificates so you can avoid outages from unexpected expirations, and improves your security by alerting you to unauthorized certificates.

Click here to sign up and start monitoring up to 5 domains for free, or get the open source version and set it up on your own server.

The Cert Spotter Story

The Web's public key infrastructure has a trust problem. Its security is based on the assumption that certificate authorities are trustworthy and competent and will only issue a certificate for a domain with the proper authorization of the domain owner. Unfortunately, there are a lot of certificate authorities trusted by your browser, and there's a history of certificate authorities making mistakes. Even if you choose a good certificate authority for your website, it doesn't stop an attacker from exploiting a bad certificate authority and obtaining fraudulent certificates to attack your website.

Certificate Transparency provides a compelling solution. With Certificate Transparency, certificates are submitted to public, append-only logs which domain owners can monitor. If a domain owner sees an unauthorized certificate for one of their domains, they can tell the offending certificate authority to revoke the certificate, and notify the Internet community so that corrective action can be taken against the certificate authority. Although Certificate Transparency doesn't directly stop unauthorized certificates, it reduces their likelihood. Since unauthorized certificates can be detected, certificate authority vulnerabilities can be fixed before being exploited again. Certificate Transparency encourages certificate authorities to improve their security, and discourages attackers who would prefer to keep their attacks secret.

Certificate Transparency only works if domain owners are monitoring logs. Cert Spotter makes this easy. Sign up for an SSLMate account, add the domains you want to monitor, and SSLMate will send you an email when a certificate is detected for one of your domains. You can review all of your discovered certificates from a simple dashboard. To avoid distracting you with false alarms, we don't bother you about certificates which we know you acquired through SSLMate.

Cert Spotter is free for up to 5 domains (get in touch if you'd like to monitor more), and we're planning to introduce premium features such as integration with monitoring systems in the near future. Click here to sign up and start monitoring.

We think the security of the Web PKI will only improve if every domain owner is monitoring Certificate Transparency logs. That's why we're open sourcing the core of our log monitor. Unlike existing open source log monitors, Cert Spotter does not require setting up a database. You just list the domains you want to monitor in a file and set up a cron job. Check it out on GitHub to learn more.

Certificate Transparency is in its infancy, but is already showing great promise. There are over 13 million unique unexpired certificates in Certificate Transparency logs. Chrome requires Certificate Transparency for Extended Validation certificates and all certificates issued by Symantec. Let's Encrypt, StartCom, and WoSign voluntarily log all certificates that they issue. The Google crawler logs every certificate it encounters, so any certificate on a public website is likely to be logged.

We expect more certificate authorities to begin voluntarily logging certificates in the coming years, and others to be opted-in to mandatory certificate transparency in response to security failures. Ultimately, all certificates will be logged in Certificate Transparency and web browsers will only accept a certificate if it's accompanied by a verifiable promise that it's logged.

If you have a website, now is the time to get started with Certificate Transparency. Sign up now to start monitoring up to 5 domains for free. If you're already an SSLMate customer, visit your Cert Spotter page to set up your watchlist. If you want to learn more, read about how Cert Spotter helps you, and about how Cert Spotter works.

See other blog posts or subscribe with RSS