CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Certificate Transparency Logs

Cryptography Advanced
debt(d7/e3/b3/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The absence of CT log monitoring and missing CAA records are not caught by compilers, linters, or standard SAST tools. Detection requires deliberately querying crt.sh/certspotter or auditing DNS records — tools listed in detection_hints.tools — which are specialist external checks rather than part of a normal development pipeline. A rogue certificate issued silently will not surface in code review; it only becomes visible if someone actively looks.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix describes monitoring crt.sh for your domain, and adding a CAA DNS record is a single DNS change. These are low-effort operational steps but they do require setting up ongoing monitoring (not just a one-line code patch), touching DNS configuration, and potentially integrating an alerting pipeline — slightly more than e1 but well within a single component / operational scope.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is web contexts only. The burden is primarily operational — maintaining CT log monitoring and a CAA record — rather than a pervasive structural tax on every future code change. It doesn't shape architectural decisions broadly but does impose a recurring maintenance responsibility on whoever owns domain/TLS management.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field directly states the trap: developers believe CT logs *prevent* misissuance, when they only *detect* it after the fact. This contradicts the intuitive reading of 'transparency as protection' and mirrors how other security controls (e.g. HTTPS itself) are assumed to prevent MitM — yet a rogue cert + HTTPS is undetectable without CT monitoring. The common_mistakes reinforce that this is a widely held and consequential wrong belief.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

CT logs Certificate Transparency crt.sh CAA record

TL;DR

Public append-only logs of all issued TLS certificates — enabling detection of misissuance and rogue certificates within hours rather than months.

Explanation

Certificate Transparency (RFC 6962) requires CAs to log every issued certificate to public append-only logs before it can be trusted by browsers. Chrome has required CT since 2018. Benefits: detect rogue certificates (if an attacker gets a certificate for your domain from a compromised CA, CT logs reveal it), monitor your domain for unexpected certificates via crt.sh, and hold CAs accountable. CAA DNS records restrict which CAs can issue for your domain, adding a prevention layer alongside CT's detection.

Common Misconception

Certificate Transparency prevents certificate misissuance — CT logs detect misissuance after the fact and enable rapid response; CAA DNS records provide prevention.

Why It Matters

Without CT logs, a CA could issue a certificate for your domain to an attacker and nobody would know for months — CT makes all certificates publicly auditable within seconds of issuance.

Common Mistakes

  • Not monitoring CT logs for your domain — rogue certs go unnoticed
  • No CAA DNS record — any CA can issue for your domain without restriction
  • Not checking CT logs when deploying new domains
  • Assuming HTTPS means no MitM — a rogue cert + HTTPS interception is undetectable without CT monitoring

Code Examples

✗ Vulnerable 
// No CT monitoring:
// 2024: attacker compromises a CA, gets cert for company.com
// CT log records it immediately — but company has no monitoring
// Attack runs for 12 months before discovered in incident response
✓ Fixed 
# CAA DNS record — restrict which CAs can issue:
# company.com. CAA 0 issue "letsencrypt.org"
# Only Let's Encrypt can issue for company.com

# Monitor CT logs via crt.sh API:
# curl 'https://crt.sh/?q=company.com&output=json' | jq '.[].name_value'
# Or subscribe to Cert Spotter for email alerts on new issuance
Added 16 Mar 2026
Edited 22 Mar 2026
Views 52

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 4 pings S 2 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 0 pings S 0 pings S 0 pings M 2 pings T 0 pings W
Agents 0
No pings yet today
PetalBot 2
Amazonbot 7 Scrapy 7 Perplexity 4 Ahrefs 4 Google 3 SEMrush 3 Unknown AI 2 Claude 2 PetalBot 2 Majestic 1 Meta AI 1 Sogou 1
Also referenced
TLS Handshake 52 Encryption in Transit 51 SSL/TLS Certificate Types 48
How they use it
crawler 35 crawler_json 2
Related categories
networking 1k cryptography 810
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Monitor crt.sh for certificates issued for your domains — any certificate you didn't request is a sign of compromise or mis-issuance
📦 Applies To
any web
🔗 Prerequisites
🔍 Detection Hints
No certificate monitoring; domain without CAA record limiting which CAs can issue; unexpected certificates on crt.sh
Auto-detectable: ✓ Yes crt.sh certspotter ssl-labs
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-295
✓ schema.org compliant