Glossary
What Is Certificate Transparency?
Certificate Transparency (CT) is a public-log system that records every TLS certificate issued by participating Certificate Authorities. Every modern browser refuses certificates that are not in CT, which means defenders, brand-protection teams, and attackers all have access to a near-complete public ledger of who has been issued certificates for which hostnames.
Why CT Exists
In 2011, a CA called DigiNotar was breached and issued forged certificates for major sites. Affected users had no way to detect it. CT was designed so that every certificate becomes publicly visible the moment it is issued — making mass mis-issuance impossible to hide.
How CT Works
Each participating CA submits every issued certificate to one or more append-only logs. Each log produces a Signed Certificate Timestamp (SCT) that the CA embeds in the certificate. Browsers refuse certificates without valid SCTs from at least the required number of qualified logs.
What CT Reveals
- Every hostname that has ever been issued a TLS certificate.
- When the certificate was issued, by whom, and for how long.
- SAN entries — including subdomain inventories that the org may not have meant to publicize.
- Wildcard issuance patterns and certificate-renewal cadence.
Practical Uses for Defenders
- Subdomain discovery — CT often reveals subdomains that DNS enumeration misses.
- Brand monitoring — alert when certificates are issued for typosquats of your brand.
- Phishing detection — newly-issued LE certs for impersonation domains are an early signal.
- Asset inventory — confirm every TLS-protected asset your org actually operates.
- Incident timeline — certificates often pre-date public attacker activity by days or weeks.
CT in Whisper
Whisper joins CT data with WHOIS, DNS, and hosting in a single graph. Pivoting from a suspicious certificate to its issuing CA, the hostname's registrar, the IP it currently resolves to, and the threat-feed status of any of those — all in one query.