Google's Certificate Transparency Policy set to expand
Quick reminder – What is the CT log about?
Certificate Transparency (CT) was a standard introduced in November 2014 by Google. The main objective was to fix different structural flaws in the SSL certificate system which could facilitate a wide range of cyberattacks if left unchecked (e.g. spoofing, Man-In-The-Middle attacks).
CT log is a worldwide data base allowing everyone to check a certificate information: which organisation it has been issued for, what the purpose is and who issued the certificate. Google intends to make it easier to identify mis-issued certificates but also CA that have gone rogue and are maliciously issuing SSL certificates.
As a first phase of the project, Google applied this standard to all EV certificates issued after 1st of January 2015.
Expanding CT to all certificates
Now that Google has gathered experience from the CT system implementation with EV certificates, they are going to expand this standard to all certificates. Since January 2016 OV (19/01) certificates started supporting CT.
How is CT going to affect you?
At time of writing, Chrome is the most widely used browser (39.61% combined market share), it is currently the only browser with a CT policy and enforcement mechanism. After the policy was initially enforced in May 2015 non-compliant EV certificate had their iconic EV green URL bar removed by Chrome, with Google Chrome’s CT policy set to include all certificates, OV certificates may get a similar treatment.
How are certificates' information displayed?
You can check your certificate information with Google's Transparency report tool. In the search box type in your website's address to get the information listed about the Issuing Certificate Authorities and the certificates issued.
How does CT work?
Certificate transparency is achieved thanks to three new components of the SSL system:
- Certificate logs – core component of the CT system keeping records of all SSL certificates. Before issuing a certificate, CAs now have to add a log entry in the records using a pre-certificate. They will receive a Signed Certificate Timestamp (SCT) as a proof which can be added to the SSL certificate.
Note: Once added logs cannot be edited or retroactively inserted, are protected by a special cryptographic mechanism (Merkle Tree Hashes) and are publicly auditable.
- Certificate monitors – anyone (customers or CAs) watching the logs entry for any suspicious activity on a regular basis using the HTTP GET command.
- Certificate auditors – anyone checking the logs entries’ consistency to check that the certificates haven’t been corrupted.
Google has been encouraging CAs to include CT in all their SSL certificates for over a year, it has also been urging companies to set up CT logs and create tools to monitor them. There are currently eight – recognised – active logs (Google runs three) and others are in the process of being added or removed.
Why SSL247® is your SSL consultant of choice:
SSL247® has 10+ years of industry experience, receiving multiple awards, accreditations and platinum partnerships with the most reputable CAs. Our accumulated portfolio means our trusted consultants are the leading web security experts in Europe.
By gaining access to SSL247®’s accredited consultants and expertise, your certificates are automatically submitted to Google’s Certificate Transparency whitelist as CA partners become compliant – unless explicitly instructed otherwise. This means you spend less time worrying about browser generated security warnings and more time actually growing your organisation. If you have any questions or want to find out more, contact us today for a FREE no commitment consultation.
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!