Skip to main content

Exploring the Security of Certificate Transparency in the Wild

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12418)


Certificate Transparency (CT) is proposed to detect fraudulent certificates and improve the accountability of CAs. CT as an open auditing and monitoring system is based on the idea that all CA-issued certificates are logged in a publicly accessible log server, and that CT-compliant browsers only accept publicly recorded certificates. The purpose of CT is to make all TLS server certificates issued by the CA publicly visible; once a fraudulent certificate is publicly published, it can be discovered by the domain name owner. In practice, the CT can achieve its intended purpose only when the three components (i.e., log server, monitor, and auditor) of the CT cooperate and work correctly and effectively. Compared with traditional PKI systems, the CT framework does not rely on a single trusted party, but as a distributed system that distributes trust guarantees to many CAs, log servers, auditors, and monitors. In this paper, we study the interaction among log servers, monitors, auditors, CAs, domain owners (or websites), browsers, and other components in practice, and then analyze the security impact of each component on the CT. We explore the security of CT framework in practice from multiple perspectives, and find that each component has many security vulnerabilities. Thus, the attackers might first exploit the vulnerability to disable the CT and then launch an attack using fraudulent certificates. The overall security guarantees of CT are jeopardized due to the weak protections of any components.


  • Certificate Transparency (CT)
  • Fraudulent certificate
  • Trust management

This work was partially supported by National Natural Science Foundation of China (No. 62002011), Open Project of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences (No. 2020-ZD-05, No. 2020-MS-08), NSF CNS-1422206, DGE-1565570, NSA Science of Security Initiative H98230-18-D-0009, and the Ripple University Blockchain Research Initiative.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. Aertsen, M., Korczynski, M., Moura, G., et al.: No domain left behind: is let’s encrypt democratizing encryption? In: 2nd ANRW (2017)

    Google Scholar 

  2. Amann, J., Gasser, O., Scheitle, Q., et al.: Mission accomplished? HTTPS security after DigiNotar. In: 17th IMC (2017)

    Google Scholar 

  3. Apple Inc: Certificate transparency in Apple (2018).

  4. CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates, version 1.6.1 (2018).

  5. Chuat, L., Szalachowski, P., Perrig, A., et al.: Efficient gossip protocols for verifying the consistency of certificate logs. In: 3rd IEEE CNS (2015)

    Google Scholar 

  6. Cloudflare Inc: Explore the certificate transparency ecosystem (2018).

  7. Comodo Group Inc: Comodo report of incident (2011).

  8. Cooper, D., Santesson, S., et al.: IETF RFC 5280 - Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008)

    Google Scholar 

  9. Cui, M., Cao, Z., Xiong, G.: How is the forged certificates in the wild: practice on large-scale SSL usage measurement and analysis. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10862, pp. 654–667. Springer, Cham (2018).

    CrossRef  Google Scholar 

  10. Dahlberg, R., Pulls, T.: Verifiable light-weight monitoring for certificate transparency logs. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 171–183. Springer, Cham (2018).

    CrossRef  Google Scholar 

  11. Dowling, B., Günther, F., Herath, U., Stebila, D.: Secure logging schemes and certificate transparency. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 140–158. Springer, Cham (2016).

    CrossRef  Google Scholar 

  12. Eckersley, P.: A Syrian man-in-the-middle attack against Facebook (2011).

  13. Edgecombe, G.: Certificate transparency monitor (2018).

  14. Eskandarian, S., Messeri, E., Bonneau, J., et al.: Certificate transparency with privacy. In: 17th PETS (2017)

    Google Scholar 

  15. Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: revealing poor security practices with certificate transparency logs and internet measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 173–185. Springer, Cham (2018).

    CrossRef  Google Scholar 

  16. Google Inc: Certificate transparency over DNS (2016).

  17. Google Inc: Certificate transparency (2018).

  18. Google Inc: Known logs (2018).

  19. Google Inc: Certificate transparency enforcement in google chrome (2020).!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

  20. Google Inc: Changing the roots of the non-temporally-sharded Google Logs (2020).

  21. Google Inc: Chromium certificate transparency policy (2020).

  22. Google Inc: Continued Operation of Logs with Planned Turn Down Dates (2020).

  23. Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017).

    CrossRef  Google Scholar 

  24. Heather Adkins: An update on attempted man-in-the-middle attacks (2011).

  25. Kent, S.: IETF Draft - Attack and Threat Model for Certificate Transparency (2018)

    Google Scholar 

  26. Laurie, B., Langley, A., et al.: IETF RFC 6962 - Certificate transparency (2013)

    Google Scholar 

  27. Li, B., Chu, D., Lin, J., et al.: The weakest link of certificate transparency: exploring the TLS/HTTPS configurations of third-party monitors. In: 18th IEEE TrustCom (2019)

    Google Scholar 

  28. Li, B., Lin, J., Li, F., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: 26th AMC CCS (2019)

    Google Scholar 

  29. Liu, Y., Tome, W., Zhang, L.: An end-to-end measurement of certificate revocation in the web’s PKI. In: 15th IMC (2015)

    Google Scholar 

  30. Matsumoto, S., Szalachowski, P., Perrig, A.: Deployment challenges in log-based PKI enhancements. In: 8th EuroSec (2015)

    Google Scholar 

  31. Microsoft Inc: Certificate transparency in Microsoft (2018).

  32. Morton, B.: More Google fraudulent certificates (2014).

  33. Mozilla: Certificate transparency in Mozilla (2018).

  34. Nginx: Certificate transparency in Nginx (2018).

  35. Nykvist, C., Sjöström, L., Gustafsson, J., Carlsson, N.: Server-side adoption of certificate transparency. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 186–199. Springer, Cham (2018).

    CrossRef  Google Scholar 

  36. OpenSSL: Certificate transparency in OpenSSL (2018).

  37. Opsmate Inc: How Cert Spotter Parses 255 Million Certificates (2020).

  38. Scheitle, Q., Gasser, O., Nolte, T., et al.: The rise of certificate transparency and its implications on the Internet ecosystem. In: 18th IMC (2018)

    Google Scholar 

  39. Stark, E., Sleevi, R., Muminovic, R., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 40th IEEE S&P (2019)

    Google Scholar 

  40. Tomescu, A., Bhupatiraju, V., Papadopoulos, D., et al.: Transparency logs via append-only authenticated dictionaries. In: 26th ACM CCS (2019)

    Google Scholar 

  41. University of Michigan: Censys (2018).

  42. VanderSloot, B., Amann, J., et al.: Towards a complete view of the certificate ecosystem. In: 16th IMC (2016)

    Google Scholar 

  43. Wikipedia: Flame (malware) (2017).

  44. Wilson, K.: Distrusting new CNNIC certificates (2015).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Bingyu Li .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, B., Li, F., Ma, Z., Wu, Q. (2020). Exploring the Security of Certificate Transparency in the Wild. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61637-3

  • Online ISBN: 978-3-030-61638-0

  • eBook Packages: Computer ScienceComputer Science (R0)