Digital Developer Conference on Data and AI: Essential data science, machine learning, and AI skills and certification Register for free

IBM Developer Blog

Follow the latest happenings with IBM Developer and stay in the know.

Protect domains and domain owners from mis-issued certificates by Certificate Authorities (CAs).


If you have been following the area of security on the web closely, you’ve probably heard the term certificate transparency, but if you haven’t heard of certificate transparency, fret not. This blog post has you covered.

In this post, I’ll introduce you to the concept of certificate transparency and then delve into the actions you must take as an app developer in your web or mobile app to implement certificate transparency.

What is certificate transparency?

Certificate transparency is a technology that developers use to protect domains and domain owners from mis-issued certificates by Certificate Authorities (CAs). Certificate transparency also protects domains where CAs have been compromised or hacked.

At the heart of the implementation of certificate transparency is a cool data structure called the Merkle Tree, which is simply a binary tree where each node is labelled with the cryptographic hash of its child nodes. To implement certificate transparency, every certificate issued by a Certificate Authority (CA) is logged to a certificate transparency log that holds the hash of the public key as a node in the Merkle tree. Since the hash of the entire tree depends on the hash of every other node in the tree, any independent party can verify the integrity of the Merkle tree. When a certificate is mis-issued to a wrong entity or an entire CA is hacked, domain owners who monitor the certificate transparency logs are alerted immediately so that necessary action can be taken.

On the client side, most browsers now enforce mandatory entries in the certificate transparency logs failing which the connection to the domain is not established.

While this is a very brief explanation of what certificate transparency is and how certificate transparency works, you can read more on the Certificate Transparency website.

As an app developer, what should I do?

I will split this question into two parts each addressing a different developer persona:

  • Web app developers
  • Mobile app developers

Web app developers

Fortunately, as a web app developer, you do not need any extra implementation in your app. Most modern browsers enforce certificate transparency. For example, you can read about Chrome’s enforcement policy here.

Make sure the CA that issues your certificate to a certificate transparency log. There are different ways of verifying whether your domain’s certificate is set up for certificate transparency. You can use tools like OpenSSL or Wireshark. However, the simplest way is to use your Chrome browser:

  1. Open a new tab in Chrome.
  2. Open Developer Tools or right-click and select Inspect.
  3. Navigate to the Security Tab.
  4. Navigate to your domain in Chrome.
  5. Click on the name of your domain in the left panel.

The Certificate Transparency section will show you the details of your certificate.

Viewing Signed Certificate Timestamp in Chrome

Mobile app developers

For mobile app developers, you need to

  1. Ensure that you do client-side certificate transparency checks
  2. Ensure that your server certificates are part of the certificate transparency logs.

The following code examples demonstrate how to work with IBM Mobile Foundation services, but the same principle can be applied elsewhere.

Client-side certificate transparency

For iOS apps, turning on client-side certificate transparency check is rather simple – you do nothing! Certificate transparency is enforced by default on devices running iOS 12.1.1 and higher. For devices running earlier versions of the iOS, you will need to set the NSRequiresCertificateTransparency option to YES in your Info.plist file. For more information on where to plugin this option in your Info.plist, head over to the Apple documentation. Below is a screenshot for reference:

Enabling Certificate Transparency checks in XCode

For Android apps, Android does not do built-in checks for certificate transparency and if client-side certificate transparency checks are needed, you will have to perform them yourself. Fortunately, there is a 3rd-party library you can use.

In this post, we will use the certificate-transparency-android library to achieve client-side checks of certificate transparency.

  1. Add the dependencies. Add the following line to the dependencies section of your app’s build.gradle file:

     implementation 'com.babylon.certificatetransparency:certificatetransparency-android:0.2.0'
    
  2. Add the Certificate Transparency Interceptor.

     import com.babylon.certificatetransparency.CTInterceptorBuilder;
     import com.babylon.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor;
     ...
     // Replace with the domain name of your Mobile Foundation server
     CTInterceptorBuilder ctBuilder = new CTInterceptorBuilder().includeHost("mymobilefoundation.mydomain.com");
     // Create a CT Interceptor
     CertificateTransparencyInterceptor ctInterceptor = (CertificateTransparencyInterceptor)ctBuilder.build();
     // Attach the interceptor to your OkHttpClient object
     OkHttpClient client = new OkHttpClient.Builder().addNetworkInterceptor(ctInterceptor).build();
     // Test against the Mobile Foundation server URL
     Request req = new Request.Builder().url(WLClient.getInstance().getServerUrl()).build();
     client.newCall(req).enqueue(new Callback() {
         @Override
         public void onFailure(Call call, IOException e) {
             // Certificate Transparency check failed. Take appropriate action
             // e.g. Report an error and close the app
             e.printStackTrace();
         }
         @Override
         public void onResponse(Call call, Response response) throws IOException {
             // Certificate Transparency check success. Proceed with your app
             // e.g. Get a token or make an adapter call
             WLAuthorizationManager.getInstance().obtainAccessToken("", myTokenListener );
         }
    
     }
    

Server-side certificate transparency

Certificate transparency has two aspects:

  • A server-side SSL certificate issued by a CA having a valid server certificate timestamp (SCT) by means of having a valid log entry in a certificate transparency log server.

  • A client that validates the certificate against a log server.

An SSL certificate with an SCT is definitely required. Make sure your server certificate is one with a valid SCT. Almost every CA these days issue certificates with SCTs. However, if you do want to verify yourself, you can do so easily. I’ll detail this in the next section.

Summary

How much client-side validation is really necessary is a matter of debate. Most browsers perform client-side certificate transparency checks on certificates.

A compromised certificate affects all users of the certificate. Therefore, the malicious certificate needs to be detected only once whether you have a single user or a million users.

Third party tools exist that monitor certificate transparency logs for malicious certificates. Depending on your requirements, you can either choose to use such third party tools or simply perform client-side certificate transparency checks each time your mobile app connects to your server.