Please add option for "anomalous" Certificate Transparency Monitoring notifications

I finally disabled Certificate Transparency Monitoring for all my websites yesterday because I was tired of regularly getting “spammed” with tons of completely normal certificate renewals. I wasn’t even actually reading them by the end…

Really what I would want is to get notifications only for “anomalous” certificates, such as any certificates not generated by or on behalf of Cloudflare. (@epic.network points out a more precise heuristic: any certificates not matching the (typically auto-generated) CAA records for the domain.)

I think this would be a popular option. :slight_smile:

I can certainly appreciate your perspective on the noise of CT notifications. It is a contributing reason for my choice to not receive such notifications.

How would Cloudflare know which certificate issuance is not expected? If it conforms to your published CAA restrictions, that would seem to not be anomalous.

3 Likes

Yes, thank you, using the CAA records would be a more precise heuristic.

I edited my post to reflect that.

But… any certificate not matching your CAA records wouldn’t issue in the first place, no?

1 Like

My understanding of CAA is fairly limited, but I did some reading and found this:

A certificate authority that goes rogue or is totally compromised can issue a certificate for your domain regardless of what CAA says. Also, DNS records can be spoofed by a powerful attacker to trick a certificate authority into thinking that it is authorized.

Their Cert Spotter service mentions:

When’s the last time you heard a car alarm and thought a car was being stolen?

A monitoring system that pesters you with false alarms is useless because you begin to ignore the alerts. Most Certificate Transparency monitors alert you about every single certificate for your domains, making it hard to notice when a malicious certificate is issued.

This seems to validate my proposal, but the big problem with Cert Spotter is that it starts at a whopping 15$/month.

Cloudflare would provide a (much more) useful subset of their functionality for free if it could filter out Certificate Transparency notifications about certificates issued by CAA-authorized certificate authorities.