This is a move in the right direction, considering the rampant use of compromised Certificates by hackers to obscure their real identity/motives.
Jason Sabin, CSO of DigiCert, said in an interview that the system is designed to give customers more control of and supervision over the certificates they have in use.
“In some large organizations, you can get people who need to get something done for a certain project so they go and grab a domain and don’t have time to go through whatever process they have in place for getting a certificate,” Sabin said. “So they do it themselves, but then the organization doesn’t know it’s happened, or perhaps it wasn’t done correctly.”
The CertCentral platform that DigiCert is rolling out allows for continuous monitoring of an organization’s certificates, and it also can protect companies against phishing and other attacks that play off of variants of their legitimate domains.
“We can look for people using certificates that are close variants of your domains, like using zeroes for the letter O or things like that,” Sabin said.
Certificate Transparency (CT) is possibly the best approach one can think of today, to detect and prevent unauthorised Certificate usage. But it also has to be noted that the key player behind this initiative, is Google, a company infamous for their thoughts/acts on User Privacy.
Dennis Fisher (@dennisf) has elaborated this in much detail at ThreatPost: https://threatpost.com/digicert-offers-continuous-monitoring-of-digital-certificates-to-defeat-fraud/112227
CT’s official site is also a great read to understand the concept further:
Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates.
Auditors are lightweight software components that typically perform two functions. First, they can verify that logs are behaving correctly and are cryptographically consistent. If a log is not behaving properly, then the log will need to explain itself or risk being shut down. Second, they can verify that a particular certificate appears in a log
A must read: http://www.certificate-transparency.org/what-is-ct
Image courtesy: www.hotforsecurity.com