Avoid Alert Fatigue With Cert Spotter

A Certificate Transparency monitor must intelligently decide whether to alert you about a new certificate. Failing to alert about an unauthorized certificate (a false negative) is obviously a serious security failure. Alerting about authorized certificates (a false positive) is also a failure, since it contributes to alert fatigue which could make an alert for a truly unauthorized certificate go unnoticed.

Cert Spotter uses several techniques to decide whether or not to alert you about a certificate.

Authorized Certificate Authorities

You can select which certificate authorities are authorized to issue your certificates, and Cert Spotter won't alert you about certificates which they issue. Under the hood, this is more complicated than it sounds. Although certificates contain the organization name of their issuer, it is often inaccurate due to changes in certificate authority ownership and other business arrangements. Furthermore, there's nothing stopping a rogue certificate authority from putting the name of another company in this field. If Cert Spotter trusted this field, it might miss malicious certificates.

Instead, Cert Spotter looks up the issuing certificate in the Common CA Database (CCADB) to determine the true issuer of the certificate.

CAA Records

Cert Spotter can optionally consult CAA records to determine which certificate authorities are authorized to issue your certificates. The advantage of consulting CAA records is that you don't have to maintain a separate list of authorized CAs in your Cert Spotter settings. The disadvantage is that since DNS is insecure, attackers can spoof CAA records. DNSSEC helps, but is hard to deploy and offers no protection against malicious registries.

To mitigate the insecurity of DNS, Cert Spotter notifies you about all changes to CAA records so you will be alerted to CAA spoofing. Cert Spotter never relies on a CAA record to decide if a certificate is authorized unless it has previously notified you of the record.

Authorized Public Keys

You can upload your CSRs to Cert Spotter using a REST API, and Cert Spotter won't alert you about certificates which use the same public key as the CSR. You can integrate Cert Spotter's API with your automated issuance pipeline to ensure you never receive alerts about your legitimate certificates. By authorizing specific keys rather than entire certificate authorities, you can achieve a very high level of security with a low rate of false alarms as long as all certificates are issued through your issuance pipeline.

Duplicate Suppression

A certificate can appear in Certificate Transparency logs in both its native format and "precertificate" format. To avoid alerting you more than once about the same underlying certificate, Cert Spotter deduplicates certificates and precertificates. To do so, Cert Spotter reconstructs the "TBSCertificate portion of the precertificate" and hashes it with SHA-256, which yields the same value for a certificate and its corresponding precertificate. Since this hash is derived from the contents of a certificate or precertificate, distinct (pre)certificates always have distinct hashes.

Crucially, Cert Spotter does not rely on the certificate serial number to suppress duplicates. Although serial numbers are supposed to be unique for a given issuer, there is no technical measure to stop a certificate authority from issuing two distinct certificates with the same serial number. Since Cert Spotter must remain secure in the face of certificate authority misbehavior, it never relies on CA-provided identifiers like the serial number to make security decisions.