What Is Certificate Transparency and Why It Matters

Certificate Transparency (CT) is a security framework designed to detect and prevent the misuse of SSL/TLS certificates. It creates an open, publicly auditable log of every SSL certificate issued by participating Certificate Authorities (CAs).

Before CT, a Certificate Authority could issue a certificate for any domain, and there was no easy way for the domain owner to know about it. A compromised or rogue CA could issue fake certificates for google.com or your-bank.com, enabling undetectable man-in-the-middle attacks.

CT solves this by requiring CAs to submit every certificate they issue to public logs. These logs are monitored by browsers, domain owners, and security researchers. If a certificate is issued without being logged, modern browsers will reject it.

The CT system has three components:

CT Logs: Append-only, publicly accessible logs operated by organizations like Google, Cloudflare, and DigiCert. When a CA issues a certificate, it submits it to one or more CT logs, which return a Signed Certificate Timestamp (SCT) — proof that the certificate has been logged.

Monitors: Services that watch CT logs for suspicious certificates. Domain owners can set up monitors to alert them whenever a new certificate is issued for their domain. This helps detect unauthorized certificate issuance quickly.

Auditors: Verify that CT logs are behaving correctly — that certificates aren't being removed, that the log is consistent, and that SCTs are valid.

Since 2018, Google Chrome requires all new certificates to have valid SCTs from at least two independent CT logs. Certificates without SCTs are rejected by Chrome, making CT effectively mandatory for all publicly trusted certificates.

Detect unauthorized certificates: If someone obtains a certificate for your domain (through CA compromise, social engineering, or domain validation flaws), CT logs will contain the evidence. Monitoring tools can alert you within minutes.

Detect phishing attempts: Phishers sometimes obtain legitimate certificates for domains that are typosquats of your brand (e.g., "go0gle.com"). CT monitoring can catch these before they're used in attacks.

Audit your CA: You can verify that your Certificate Authority is only issuing certificates you've requested. Any unexpected certificates for your domain should be investigated immediately.

Incident response: If a certificate is found to be issued improperly, CT provides the evidence needed to revoke it and investigate how it happened.

You can verify SSL certificates for any domain using LookMyIP's SSL Checker at lookmyip.com/ssl, which shows certificate details including the issuer, validity, and chain of trust.

Several free tools let you monitor CT logs for certificates issued for your domain:

• crt.sh: A free CT log search engine. Search for your domain to see every certificate ever issued for it.
• Facebook CT Monitor: Sends email alerts when new certificates are issued for domains you specify.
• Certspotter: Monitors CT logs and sends notifications for new certificates.
• Google Transparency Report: Includes a CT search tool.

What to look for:

• Certificates you didn't request
• Certificates from CAs you don't use
• Certificates for subdomains you don't recognize
• Certificates for lookalike domains (typosquatting)

If you find an unauthorized certificate, contact the issuing CA to have it revoked immediately, and investigate how the attacker obtained it (compromised domain validation, DNS hijacking, or CA compromise).