{"id":61,"date":"2026-06-23T23:58:51","date_gmt":"2026-06-23T20:58:51","guid":{"rendered":"https:\/\/secradar.net\/blog\/izinsiz-ssl-sertifikasi-ct-izleme-caa\/"},"modified":"2026-06-23T23:58:51","modified_gmt":"2026-06-23T20:58:51","slug":"izinsiz-ssl-sertifikasi-ct-izleme-caa","status":"publish","type":"post","link":"https:\/\/secradar.net\/blog\/izinsiz-ssl-sertifikasi-ct-izleme-caa\/","title":{"rendered":"\u0130zinsiz SSL Sertifikas\u0131 Tespiti: Certificate Transparency \u0130zleme ve CAA"},"content":{"rendered":"<p>Alan ad\u0131n\u0131z i\u00e7in bir SSL sertifikas\u0131 d\u00fczenlendi\u011finde, bu i\u015flem saniyeler i\u00e7inde <strong>herkese a\u00e7\u0131k bir deftere<\/strong> yaz\u0131l\u0131r. \u0130yi haber: bu defteri sadece sald\u0131rganlar de\u011fil, <em>siz de<\/em> izleyebilirsiniz. Markan\u0131z ad\u0131na izinsiz, hatal\u0131 ya da sahte bir sertifika d\u00fczenlendi\u011finde bunu erken yakalaman\u0131n yolu Certificate Transparency&#8217;dir.<\/p>\n<p>Bu yaz\u0131, CT&#8217;nin <strong>savunma<\/strong> taraf\u0131n\u0131 ele al\u0131yor. CT loglar\u0131ndan kendi alt alan adlar\u0131n\u0131z\u0131 ke\u015ffetme (sald\u0131r\u0131 y\u00fczeyi haritalama) konusunu daha \u00f6nce <a href=\"https:\/\/secradar.net\/blog\/certificate-transparency-subdomain-kesfi\">Certificate Transparency ve Subdomain Ke\u015ffi<\/a> yaz\u0131m\u0131zda i\u015flemi\u015ftik; burada odak, <strong>izinsiz sertifika tespiti ve \u00f6nlenmesi<\/strong>.<\/p>\n<h2>Certificate Transparency&#8217;nin Di\u011fer Y\u00fcz\u00fc: Herkese A\u00e7\u0131k Defter<\/h2>\n<p>Certificate Transparency (CT), sertifika otoritelerinin (CA) d\u00fczenledikleri her TLS\/SSL sertifikas\u0131n\u0131, herkes\u00e7e denetlenebilen, de\u011fi\u015ftirilemez (append-only) log sunucular\u0131na kaydetmesini zorunlu k\u0131lan bir sistemdir. Taray\u0131c\u0131lar (\u00f6zellikle Chrome) CT&#8217;ye kaydedilmemi\u015f sertifikalara g\u00fcvenmez \u2014 yani <strong>pratikte her ge\u00e7erli sertifika CT&#8217;de g\u00f6r\u00fcn\u00fcr<\/strong>.<\/p>\n<p>Bu zorunluluk, sertifika d\u00fcnyas\u0131n\u0131 \u015feffaf k\u0131lar: bir sald\u0131rgan markan\u0131z ad\u0131na sertifika al\u0131rsa, bu i\u015flem de loglan\u0131r ve <strong>izlenebilir h\u00e2le gelir<\/strong>. CT, k\u00f6t\u00fcye kullan\u0131m\u0131 engelleyemez ama <em>g\u00f6r\u00fcn\u00fcr<\/em> k\u0131lar \u2014 savunman\u0131n temeli budur.<\/p>\n<h2>Markan\u0131z Ad\u0131na \u0130zinsiz Sertifika Nas\u0131l Ortaya \u00c7\u0131kar?<\/h2>\n<p>&#8220;Benim alan ad\u0131m i\u00e7in bana sormadan kim sertifika d\u00fczenleyebilir ki?&#8221; diye d\u00fc\u015f\u00fcnebilirsiniz. Pratikte birka\u00e7 senaryo var:<\/p>\n<ul>\n<li><strong>G\u00f6lge BT (shadow IT):<\/strong> Bir ekip, g\u00fcvenlik biriminden habersiz yeni bir alt alan ad\u0131 a\u00e7\u0131p Let&#8217;s Encrypt&#8217;ten sertifika al\u0131r. Kay\u0131t d\u0131\u015f\u0131, izlenmeyen bir varl\u0131k do\u011far.<\/li>\n<li><strong>Hatal\u0131 d\u00fczenleme (mis-issuance):<\/strong> Bir CA, do\u011frulama hatas\u0131yla alan ad\u0131n\u0131z i\u00e7in yetkisiz birine sertifika verir. Nadir ama ya\u015fanm\u0131\u015ft\u0131r.<\/li>\n<li><strong>Ele ge\u00e7irilmi\u015f alt alan ad\u0131:<\/strong> Sarkan (dangling) bir DNS kayd\u0131n\u0131 ele ge\u00e7iren sald\u0131rgan, o alt alan ad\u0131 i\u00e7in ge\u00e7erli sertifika al\u0131p HTTPS kilidiyle me\u015fru g\u00f6r\u00fcn\u00fcr. (Bkz. <a href=\"https:\/\/secradar.net\/blog\/subdomain-takeover-nedir\">Subdomain Takeover<\/a>.)<\/li>\n<li><strong>Benzer (typosquat) alan adlar\u0131:<\/strong> <code>sirket-giris.com<\/code>, <code>sirkett.com<\/code> gibi taklit alan adlar\u0131 i\u00e7in al\u0131nan sertifikalar \u2014 phishing kampanyalar\u0131n\u0131n habercisi olabilir.<\/li>\n<\/ul>\n<h2>CT Loglar\u0131n\u0131 \u0130zleyerek Erken Uyar\u0131 Al\u0131n<\/h2>\n<p>Savunman\u0131n ilk ad\u0131m\u0131 g\u00f6r\u00fcn\u00fcrl\u00fck: alan ad\u0131n\u0131z i\u00e7in <strong>hangi CA&#8217;lar\u0131n, ne zaman, hangi alt alan adlar\u0131na<\/strong> sertifika d\u00fczenledi\u011fini d\u00fczenli olarak g\u00f6zden ge\u00e7irin. Arad\u0131\u011f\u0131n\u0131z sinyaller:<\/p>\n<ul>\n<li>Tan\u0131mad\u0131\u011f\u0131n\u0131z bir <strong>alt alan ad\u0131<\/strong> i\u00e7in d\u00fczenlenmi\u015f sertifika (kay\u0131t d\u0131\u015f\u0131 varl\u0131k).<\/li>\n<li>Kullanmad\u0131\u011f\u0131n\u0131z bir <strong>sertifika otoritesinden<\/strong> gelen sertifika (CAA politikan\u0131z d\u0131\u015f\u0131 d\u00fczenleme).<\/li>\n<li>Beklenmeyen bir zamanda, yo\u011fun \u015fekilde d\u00fczenlenen <strong>yeni sertifikalar<\/strong>.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/secradar.net\/sertifika-gecmisi\">SecRadar Sertifika Ge\u00e7mi\u015fi (CT)<\/a> arac\u0131, alan ad\u0131n\u0131z i\u00e7in CT loglar\u0131na d\u00fc\u015fm\u00fc\u015f t\u00fcm sertifikalar\u0131 \u2014 apex ve wildcard dahil \u2014 d\u00fczenleyen CA, ge\u00e7erlilik tarihleri ve kapsad\u0131klar\u0131 alt alan adlar\u0131yla birlikte listeler; son 30 g\u00fcndeki d\u00fczenlemeleri ve ola\u011fand\u0131\u015f\u0131 yo\u011funluklar\u0131 ayr\u0131ca \u00f6ne \u00e7\u0131kar\u0131r. B\u00f6ylece &#8220;bu sertifikay\u0131 biz mi ald\u0131k?&#8221; sorusunu h\u0131zl\u0131ca yan\u0131tlars\u0131n\u0131z.<\/p>\n<p>Tek seferlik kontrol yetmez; ideal olan <strong>s\u00fcrekli izlemedir<\/strong>. SecRadar izleme \u00f6zelli\u011fi, alan ad\u0131n\u0131z i\u00e7in yeni bir sertifika logland\u0131\u011f\u0131nda size Telegram veya e-posta ile haber verir \u2014 izinsiz bir d\u00fczenlemeyi g\u00fcnler de\u011fil dakikalar i\u00e7inde fark edersiniz.<\/p>\n<h2>CAA Kayd\u0131 ile \u0130zinsiz Sertifika D\u00fczenlenmesini \u00d6nleyin<\/h2>\n<p>\u0130zleme tespit eder; <strong>CAA kayd\u0131 \u00f6nler<\/strong>. CAA (Certification Authority Authorization), DNS&#8217;inize ekledi\u011finiz ve <em>&#8220;alan ad\u0131m i\u00e7in yaln\u0131zca \u015fu CA&#8217;lar sertifika d\u00fczenleyebilir&#8221;<\/em> diyen bir kay\u0131tt\u0131r. CAA&#8217;ya uymak t\u00fcm CA&#8217;lar i\u00e7in zorunludur; politikan\u0131z d\u0131\u015f\u0131ndaki bir CA, sertifika d\u00fczenlemeden \u00f6nce CAA kayd\u0131n\u0131z\u0131 kontrol edip i\u015flemi reddetmek zorundad\u0131r.<\/p>\n<p>\u00d6rnek bir CAA kay\u0131t seti:<\/p>\n<pre><code>example.com.  IN CAA 0 issue \"letsencrypt.org\"\nexample.com.  IN CAA 0 issuewild \"letsencrypt.org\"\nexample.com.  IN CAA 0 iodef \"mailto:guvenlik@example.com\"<\/code><\/pre>\n<ul>\n<li><strong>issue<\/strong> \u2014 normal sertifikalar\u0131 yaln\u0131zca belirtilen CA d\u00fczenleyebilir.<\/li>\n<li><strong>issuewild<\/strong> \u2014 wildcard (<code>*.example.com<\/code>) sertifikalar\u0131 i\u00e7in ayr\u0131 yetki; wildcard&#8217;\u0131 t\u00fcm\u00fcyle yasaklamak i\u00e7in <code>\";\"<\/code> kullan\u0131n.<\/li>\n<li><strong>iodef<\/strong> \u2014 CAA ihlali giri\u015fimi oldu\u011funda CA&#8217;n\u0131n rapor g\u00f6nderece\u011fi adres (e-posta\/URL). \u0130zinsiz d\u00fczenleme <em>denemelerini<\/em> bile haber al\u0131rs\u0131n\u0131z.<\/li>\n<\/ul>\n<p>CAA kayd\u0131n\u0131z\u0131n do\u011fru tan\u0131mland\u0131\u011f\u0131n\u0131 ve sertifikan\u0131zla uyumlu oldu\u011funu <a href=\"https:\/\/secradar.net\/ssl-sorgulama\">SSL Sorgulama<\/a> arac\u0131yla kontrol edebilirsiniz \u2014 sonu\u00e7larda alan ad\u0131n\u0131z\u0131n CAA politikas\u0131 da g\u00f6sterilir.<\/p>\n<h2>Pratik Kontrol Listesi<\/h2>\n<ul>\n<li>Alan ad\u0131n\u0131z\u0131n CT ge\u00e7mi\u015fini <a href=\"https:\/\/secradar.net\/sertifika-gecmisi\">Sertifika Ge\u00e7mi\u015fi<\/a> ile g\u00f6zden ge\u00e7irin; tan\u0131mad\u0131\u011f\u0131n\u0131z alt alan ad\u0131 veya CA var m\u0131?<\/li>\n<li>DNS&#8217;inize <strong>CAA kayd\u0131<\/strong> ekleyin; yaln\u0131zca kulland\u0131\u011f\u0131n\u0131z CA&#8217;lara izin verin, <code>iodef<\/code> ile raporlama adresi tan\u0131mlay\u0131n.<\/li>\n<li><a href=\"https:\/\/secradar.net\/alt-alan-adi-bulucu\">Alt Alan Ad\u0131 Bulucu<\/a> ile envanterinizi \u00e7\u0131kar\u0131n; g\u00f6lge BT ve sarkan kay\u0131tlar\u0131 temizleyin.<\/li>\n<li>Benzer\/typosquat alan adlar\u0131n\u0131 izleyin \u2014 markan\u0131za ait olmayan ama sizi taklit eden sertifikalar phishing habercisidir.<\/li>\n<li>Tek seferlik de\u011fil, <strong>s\u00fcrekli<\/strong> izleyin: yeni sertifika logland\u0131\u011f\u0131nda uyar\u0131 al\u0131n.<\/li>\n<\/ul>\n<h2>\u00d6zetle<\/h2>\n<p>Certificate Transparency, sertifika ekosistemini \u015feffaf k\u0131larak izinsiz d\u00fczenlemeleri g\u00f6r\u00fcn\u00fcr h\u00e2le getirir; CAA kayd\u0131 ise bu d\u00fczenlemeleri ba\u015ftan engeller. \u0130kisini birlikte kulland\u0131\u011f\u0131n\u0131zda \u2014 izleme + \u00f6nleme \u2014 markan\u0131z ad\u0131na yetkisiz bir sertifikan\u0131n sessizce var olmas\u0131 neredeyse imk\u00e2ns\u0131zla\u015f\u0131r.<\/p>\n<p>Sertifikalar\u0131n\u0131z\u0131 <a href=\"https:\/\/secradar.net\/sertifika-gecmisi\">Sertifika Ge\u00e7mi\u015fi (CT)<\/a> ve <a href=\"https:\/\/secradar.net\/ssl-sorgulama\">SSL Sorgulama<\/a> ara\u00e7lar\u0131m\u0131zla denetleyin. G\u00fcvenilir, do\u011fru yap\u0131land\u0131r\u0131lm\u0131\u015f SSL sertifikalar\u0131 i\u00e7in <a href=\"https:\/\/www.ihs.com.tr\/ssl\/\" target=\"_blank\" rel=\"noopener\">\u0130HS Telekom SSL hizmetlerini<\/a> inceleyebilirsiniz.<\/p>\n<div style=\"background:#eef2ff;border:1px solid #c7d2fe;border-radius:12px;padding:16px;margin-top:24px\"><b>Ad\u0131n\u0131za d\u00fczenlenen her sertifikadan haberdar olun.<\/b> <a href=\"https:\/\/secradar.net\/register\">SecRadar&#8217;a \u00fccretsiz \u00fcye olun<\/a>; alan ad\u0131n\u0131z i\u00e7in yeni bir SSL sertifikas\u0131 logland\u0131\u011f\u0131nda, DNS\/CAA kayd\u0131n\u0131z de\u011fi\u015fti\u011finde Telegram veya e-posta ile otomatik uyar\u0131 al\u0131n.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Alan ad\u0131n\u0131z i\u00e7in bir SSL sertifikas\u0131 d\u00fczenlendi\u011finde, bu i\u015flem saniyeler i\u00e7inde herkese a\u00e7\u0131k bir deftere yaz\u0131l\u0131r. \u0130yi haber: bu defteri sadece sald\u0131rganlar de\u011fil, siz de izleyebilirsiniz. Markan\u0131z ad\u0131na izinsiz, hatal\u0131 ya da sahte bir sertifika d\u00fczenlendi\u011finde bunu erken yakalaman\u0131n yolu Certificate Transparency&#8217;dir. Bu yaz\u0131, CT&#8217;nin savunma taraf\u0131n\u0131 ele al\u0131yor. CT loglar\u0131ndan kendi alt alan adlar\u0131n\u0131z\u0131 &#8230; <a title=\"\u0130zinsiz SSL Sertifikas\u0131 Tespiti: Certificate Transparency \u0130zleme ve CAA\" class=\"read-more\" href=\"https:\/\/secradar.net\/blog\/izinsiz-ssl-sertifikasi-ct-izleme-caa\/\" aria-label=\"Read more about \u0130zinsiz SSL Sertifikas\u0131 Tespiti: Certificate Transparency \u0130zleme ve CAA\">Devam\u0131n\u0131 oku<\/a><\/p>\n","protected":false},"author":0,"featured_media":60,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-61","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssl-sertifika"],"_links":{"self":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":0,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media\/60"}],"wp:attachment":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}