Certificate Transparency (CT) is an open-source Internet Security Standard for monitoring and auditing of digital certificates. It requires all issued certificates to be published in a public log so they can be checked and verified by any interested party. The logs are audited on regular time intervals to ensure that information added to them is correct, and organizations check them from time to time to take a look on all certificates which have been issued to their entity. If they find a certificate that they didn’t authorize they can quickly contact the CA that issued the certificate and get that certificate revoked.
Google Updates on CT Policy
Google is continuing its efforts to make the web as secure as possible. After announcing that Google will display “Not Secure” label for non-HTTPS websites, now Chrome 68 will not trust the SSL certificates from July 2018 that don’t comply with its Certificate Transparency (CT) Policy. The plans to implement this change were first announced way back in October 2016 with a timeline to enforce the new policy by October 2017. In a forum post describing the plans company had said at that time:
“Publicly trusted website certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome.
The Chrome Team believes that the Certificate Transparency ecosystem has advanced sufficiently that October 2017 is an achievable and realistic goal for this requirement.”
However, when CAs, transparency log operators, server developers, and enterprises cited their concerns regarding the timeline of policy enforcement, Google revised the timeline and extended it to April 2018. The company said in a post on official Chromium forum:
“We’ll be moving forward with our plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018.”
April 2018 has now passed, a deadline of CT enforcement, but it won’t be put into effect until the release of Chrome 68. If your SSL certificate isn’t registered with a public certificate log and your website is served over a non-compliant connection, so users will show a full-page warning that the site isn’t compliant with the Chromium CT Policy.
Devon O’Brien – a google engineer stated in a Google group discussion,
“In version 68, Chrome will start enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted.
Despite some reports that users will begin to see these warnings starting today, sites will not be impacted until the following dates depending on the release channel of Chrome being used.”
|Chrome 67 and earlier
|Chrome 68 Beta
|~June 7, 2018
|Chrome 68 Stable
|~July 24, 2018
At this point, you may be wondering what the fuss is all about and why this CT thing is so important for Google. Well, We’ll try to explain it to you in a brief manner.
All About Google Chrome’s CT Policy
Google Chrome’s CT policy requires all new certificates that are issued in future to be included in one of company’s approved CT logs. If a certificate is not present in any of Google-approved CT logs then it won’t be trusted by Chrome. The CT logs trusted by Google can be seen here on official Chromium CT Policy page of Github. If any website uses a certificate not included in any of the logs mentioned on this page then its visitors will be shown the SSL non-compliant connection warning.
Responsibilities of CAs
Google first made SSL certificates mandatory for websites – that was a job of site owners to buy it to protect online transactions. However, now this new requirement imposed by Google is a job of Certificate Authorities (CAs). Yes – it’s upon CAs to ensure that certificates issued by them are qualified for inclusion in Google’s trusted CT logs; otherwise, those certificates may not be included in the logs, thus causing SSL errors for their associated websites in Chrome. Google spelled out this responsibility of CAs itself in a forum post. The company said:
“CAs issuing TLS certificates with embedded SCTs should ensure they are compliant with the requirements of Qualifying Certificates in the Chromium CT Policy in order to maintain functionality in Chrome.”
And though this policy applies only to certificates issued after April 2018, Google also encourages CAs to include in CT logs older certificates as well. In another forum post while responding to a question on this topic company said that it would encourage all CAs to log previous certificates (a process known as “logging post-issuance”).
Certificate Transparency can make web much more secure than it already is, and that’s why Google is enforcing it. For website owners, it can provide an easy mechanism to track all certificates issued to their organization. In a nutshell, if implemented across the web it can make issuance of fake certificates very difficult, thus closing a major loophole in the system of certificates. Most CAs are already publishing certificate transparency logs and supporting Google to make real and secure Internet world.