After security scare, Facebook backs Google’s rogue certificate tracker

Facebook has vouched for a Google-made security system after it helped discover two potentially rogue certificates that were recently used for several subdomains.

The two digital certificates were from Lets Encrypt, an issuer of free SSL certificates that aims to help all site owners to encrypt connections to their sites. Facebook, Cisco and Mozilla have backed the Lets Encrypt certificate authority (CA) to encourage all websites to move to the secure protocol, HTTPS.

But Facebook’s security team was alarmed by the discovery of two Lets Encrypt certificates for multiple subdomains, since Lets Encrypt is not its main CA and the certificates were not authorised by Facebook’s security team. The certificates were also shared with domains that Facebook didn’t own or control.

Rogue certificates for Facebook’s subdomains could be used in a man-in-the-middle attack on Facebook users, such as what happened after Dutch CA DigiNotar was hacked in 2011 and bogus certificates allowed attackers to intercept communications of Gmail and Facebook users in Iran.

Following that incident Google introduced Certificate Transparency, which allows CAs to publish a log of all valid digital certificates they’ve issued and a public record in case certificates have been mis-issued.

Google recently demanded Symantec support Certificate Transparency after having caught the security firm creating multiple certificates for Google domains.

Facebook said that it launched its own experimental Certificate Transparency monitoring service in 2015 to check all public CT logs for new certificates issued for its domains, including any subdomain of or The service alerted it to the Lets Encrypt certificates earlier this year.

Fortunately, the Lets Encrypt certificates were not issued to a malicious attacker, but rather a hosting provider that manages domains for several of Facebook’s microsites that it uses for marketing. Still, while Lets Encrypt didn’t do anything wrong, the incident was a violation of Facebook’s internal security policy.

“The vendor had authorization from another Facebook team to use Let's Encrypt, but that detail was not communicated to our security team. The investigation was completed in a matter of hours and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts,” said David Huang and Brad Hill, two security engineers Facebook’s Product Security team.

Facebook is now advocating for others to adopt Certificate Transparency monitoring since it allowed it to to detect the new certificates within an hour of issuance, and to keep track of sites even their management has been outsourced. The company is considering releasing its CT monitoring service to the public in coming months.

Facebook will also start pushing for CAs to log all certificates they issue. Currently Google’s root certificate policy for Chromium only requires Extended Validation (EV) be logged, however Let’s Encrypt logs all its certificates

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags Lets EncryptattacksciscoHTTPScertificate trackerviolationsDigiNotarmozillacyber securityFacebookSYMANTEC CORPORATIONGoogle

More about CiscoFacebookGoogleMozillaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place