Facebook has vouched for a Google-made security system after it helped discover two potentially rogue certificates that were recently used for several fb.com subdomains.
The two digital certificates were from Lets Encrypt, an issuer of free SSL certificates that aims to help all site owners to encrypt connections to their sites. Facebook, Cisco and Mozilla have backed the Lets Encrypt certificate authority (CA) to encourage all websites to move to the secure protocol, HTTPS.
But Facebook’s security team was alarmed by the discovery
of two Lets Encrypt certificates for multiple fb.com
subdomains, since Lets Encrypt is not its main CA and the certificates were not authorised by Facebook’s security team. The certificates were also shared with domains that Facebook didn’t own or control.
Rogue certificates for Facebook’s subdomains could be used in a man-in-the-middle attack on Facebook users, such as what happened after Dutch CA DigiNotar was hacked in 2011 and bogus certificates allowed attackers to intercept communications of Gmail and Facebook users in Iran.
Following that incident Google introduced Certificate Transparency, which allows CAs to publish a log of all valid digital certificates they’ve issued and a public record in case certificates have been mis-issued.
Google recently demanded Symantec support Certificate Transparency after having caught the security firm creating multiple certificates for Google domains.
Facebook said that it launched its own experimental Certificate Transparency monitoring service in 2015 to check all public CT logs for new certificates issued for its domains, including any subdomain of facebook.com
. The service alerted it to the Lets Encrypt certificates earlier this year.
Fortunately, the Lets Encrypt certificates were not issued to a malicious attacker, but rather a hosting provider that manages domains for several of Facebook’s microsites that it uses for marketing. Still, while Lets Encrypt didn’t do anything wrong, the incident was a violation of Facebook’s internal security policy.
“The vendor had authorization from another Facebook team to use Let's Encrypt, but that detail was not communicated to our security team. The investigation was completed in a matter of hours and the certificates were revoked. We found no indications that these certificates were ever controlled by unauthorized parties, and we were able to respond before they had been deployed on the production hosts,” said David Huang and Brad Hill, two security engineers Facebook’s Product Security team.
Facebook is now advocating for others to adopt Certificate Transparency monitoring since it allowed it to to detect the new certificates within an hour of issuance, and to keep track of sites even their management has been outsourced. The company is considering releasing its CT monitoring service to the public in coming months.
Facebook will also start pushing for CAs to log all certificates they issue. Currently Google’s root certificate policy for Chromium only requires Extended Validation (EV) be logged, however Let’s Encrypt logs all its certificates
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.