Apple will require Certificate Transparency starting October 15
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Apple will require Certificate Transparency starting October 15

Google and Mozilla have already announced plans to begin enforcing Certificate Transparency

Apple made a major announcement at WWDC earlier today: starting October 15th, all SSL/TLS certificates must be logged in a publicly available CT log to be trusted by the Safari browser.

This follows Certificate Transparency mandates from Google and Mozilla in recent months.  The change will coincide with the release of an update to the Safari browser. Previously only Extended Validation SSL certificates were required to be logged.

Here is Apple’s new Certificate Transparency policy

Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:

  • At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
  • At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.

What is Certificate Transparency?

You can find a full explanation of Certificate Transparency here. But if you’re looking for the abridged version, here goes. Google originally developed the system behind certificate transparency and has (obviously) been the leader in this area. It’s not terribly complicated, when a certificate is issued it must be logged in one, or several CT logs. These logs are public, so any researcher, end user or watch dog organization can view them. This should help companies handle mis-issuance issues faster, with less disruption.

A number of different organizations run CT logs, including Google, Mozilla and DigiCert.

If a certificate is not logged properly, it will receive the same treatment as an expired or misconfigured certificate: a severe browser warning and the inability to connect with the page. As Apple’s policy states, certificates will have to be logged in at least two logs to be trusted, with longer certificate lifespans requiring publication in more logs.

While Safari accounts for just over 3% of the total desktop browser marketshare, it has cornered over a quarter (~27%) of the mobile browser market. This policy will be in effect for both Safari desktop and the mobile version that runs on iOS.

Three’s a Crowd

While Apple is the third major browser to announce this change, it’s only the second to give a definitive enforcement date. Google will begin enforcing in July for any certificate issued after April 30. Mozilla hasn’t given a definite date, though it is also committed to CT.

Apple’s policy will affect any certificate issued after October 15th. It is not retroactive, so most people won’t need to worry about this until the next time they’re renewing. It’s also important to point out that Certificate Transparency is only something the industry itself needs to worry about. End users are not required to take any action. Most CAs have already begun, or at least announced plans to begin loggin all SSL/TLS certificates. Any SSL/TLS certificate that isn’t logged will likely be regarded as a mis-issuance.

Facebook has launched a very user-friendly way to look through the CT logs if you’re so inclined.

As always, leave any questions or comments below.

7 comments
  • Hey,

    How about you just break it down for us mugs that buy certs on the SSL store. What do we need to do specifically to ensure our certs comply with CT?

    • End users, resellers – any part of the SSL ecosystem that is not a Certificate Authority – don’t need to do anything. Certificates are logged by the CA during the issuance process. If a certificate doesn’t get logged, it’s on the CA. So nothing needs to change on your end, it’s the CAs that need to do the work.

  • Hi Patrick,
    I self developed a website and now it seems to be affected by this new policy. The web hosting company had given me free SSL and now my website doesn’t open on the safari browser. Does this mean that we have to buy paid certificates or are there free certificates out there that can be just downloaded through the WP Pluggins feature? If we have to buy, can you recommend one that will be compatible, so that my website works on both safari and other browsers. Thanks

  • Apple rolled out iOS 12.1.1 Public Beta 2 couple of days ago and it forces the TLS Transparency certificate changes. Now most of the apps including Twitter, Chrome browser and many other websites also stopped working. Such a huge mess up. No more testing for you Apple.

    Rollback to iOS 12.1 in progress.

    Robin.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald. He also serves as Content Manager for The SSL Store™.