Apple will require Certificate Transparency starting October 15
Google and Mozilla have already announced plans to begin enforcing Certificate Transparency
Apple made a major announcement at WWDC earlier today: starting October 15th, all SSL/TLS certificates must be logged in a publicly available CT log to be trusted by the Safari browser.
This follows Certificate Transparency mandates from Google and Mozilla in recent months. The change will coincide with the release of an update to the Safari browser. Previously only Extended Validation SSL certificates were required to be logged.
Here is Apple’s new Certificate Transparency policy
Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:
- At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
- At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.
What is Certificate Transparency?
You can find a full explanation of Certificate Transparency here. But if you’re looking for the abridged version, here goes. Google originally developed the system behind certificate transparency and has (obviously) been the leader in this area. It’s not terribly complicated, when a certificate is issued it must be logged in one, or several CT logs. These logs are public, so any researcher, end user or watch dog organization can view them. This should help companies handle mis-issuance issues faster, with less disruption.
A number of different organizations run CT logs, including Google, Mozilla and DigiCert.
If a certificate is not logged properly, it will receive the same treatment as an expired or misconfigured certificate: a severe browser warning and the inability to connect with the page. As Apple’s policy states, certificates will have to be logged in at least two logs to be trusted, with longer certificate lifespans requiring publication in more logs.
While Safari accounts for just over 3% of the total desktop browser marketshare, it has cornered over a quarter (~27%) of the mobile browser market. This policy will be in effect for both Safari desktop and the mobile version that runs on iOS.
Three’s a Crowd
While Apple is the third major browser to announce this change, it’s only the second to give a definitive enforcement date. Google will begin enforcing in July for any certificate issued after April 30. Mozilla hasn’t given a definite date, though it is also committed to CT.
Apple’s policy will affect any certificate issued after October 15th. It is not retroactive, so most people won’t need to worry about this until the next time they’re renewing. It’s also important to point out that Certificate Transparency is only something the industry itself needs to worry about. End users are not required to take any action. Most CAs have already begun, or at least announced plans to begin loggin all SSL/TLS certificates. Any SSL/TLS certificate that isn’t logged will likely be regarded as a mis-issuance.
Facebook has launched a very user-friendly way to look through the CT logs if you’re so inclined.
As always, leave any questions or comments below.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown