{ "slug": "certificate_transparency", "term": "Certificate Transparency Logs", "category": "cryptography", "difficulty": "advanced", "short": "Public append-only logs of all issued TLS certificates — enabling detection of misissuance and rogue certificates within hours rather than months.", "long": "Certificate Transparency (RFC 6962) requires CAs to log every issued certificate to public append-only logs before it can be trusted by browsers. Chrome has required CT since 2018. Benefits: detect rogue certificates (if an attacker gets a certificate for your domain from a compromised CA, CT logs reveal it), monitor your domain for unexpected certificates via crt.sh, and hold CAs accountable. CAA DNS records restrict which CAs can issue for your domain, adding a prevention layer alongside CT's detection.", "aliases": [ "CT logs", "Certificate Transparency", "crt.sh", "CAA record" ], "tags": [ "cryptography", "security", "tls" ], "misconception": "Certificate Transparency prevents certificate misissuance — CT logs detect misissuance after the fact and enable rapid response; CAA DNS records provide prevention.", "why_it_matters": "Without CT logs, a CA could issue a certificate for your domain to an attacker and nobody would know for months — CT makes all certificates publicly auditable within seconds of issuance.", "common_mistakes": [ "Not monitoring CT logs for your domain — rogue certs go unnoticed", "No CAA DNS record — any CA can issue for your domain without restriction", "Not checking CT logs when deploying new domains", "Assuming HTTPS means no MitM — a rogue cert + HTTPS interception is undetectable without CT monitoring" ], "when_to_use": [], "avoid_when": [], "related": [ "tls_handshake", "ssl_certificate_types", "encryption_in_transit" ], "prerequisites": [ "ssl_certificate_types", "hsts", "public_key_infrastructure" ], "refs": [ "https://certificate.transparency.dev/" ], "bad_code": "// No CT monitoring:\n// 2024: attacker compromises a CA, gets cert for company.com\n// CT log records it immediately — but company has no monitoring\n// Attack runs for 12 months before discovered in incident response", "good_code": "# CAA DNS record — restrict which CAs can issue:\n# company.com. CAA 0 issue \"letsencrypt.org\"\n# Only Let's Encrypt can issue for company.com\n\n# Monitor CT logs via crt.sh API:\n# curl 'https://crt.sh/?q=company.com&output=json' | jq '.[].name_value'\n# Or subscribe to Cert Spotter for email alerts on new issuance", "quick_fix": "Monitor crt.sh for certificates issued for your domains — any certificate you didn't request is a sign of compromise or mis-issuance", "severity": "high", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/certificate_transparency", "html_url": "https://codeclaritylab.com/glossary/certificate_transparency", "json_url": "https://codeclaritylab.com/glossary/certificate_transparency.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Certificate Transparency Logs](https://codeclaritylab.com/glossary/certificate_transparency) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/certificate_transparency" } } } }