Google and Mozilla have already announced plans to begin enforcing Certificate Transparency
Apple made a major announcement at WWDC earlier today: starting October 15th, all SSL/TLS certificates must be logged in a publicly available CT log to be trusted by the Safari browser.
This follows Certificate Transparency mandates from Google and Mozilla in recent months. The change will coincide with the release of an update to the Safari browser. Previously only Extended Validation SSL certificates were required to be logged.
Here is Apple’s new Certificate Transparency policy
Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:
- At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
- At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.
What is Certificate Transparency?
You can find a full explanation of Certificate Transparency here. But if you’re looking for the abridged version, here goes. Google originally developed the system behind certificate transparency and has (obviously) been the leader in this area. It’s not terribly complicated, when a certificate is issued it must be logged in one, or several CT logs. These logs are public, so any researcher, end user or watch dog organization can view them. This should help companies handle mis-issuance issues faster, with less disruption.
A number of different organizations run CT logs, including Google, Mozilla and DigiCert.
If a certificate is not logged properly, it will receive the same treatment as an expired or misconfigured certificate: a severe browser warning and the inability to connect with the page. As Apple’s policy states, certificates will have to be logged in at least two logs to be trusted, with longer certificate lifespans requiring publication in more logs.
While Safari accounts for just over 3% of the total desktop browser marketshare, it has cornered over a quarter (~27%) of the mobile browser market. This policy will be in effect for both Safari desktop and the mobile version that runs on iOS.
Three’s a Crowd
While Apple is the third major browser to announce this change, it’s only the second to give a definitive enforcement date. Google will begin enforcing in July for any certificate issued after April 30. Mozilla hasn’t given a definite date, though it is also committed to CT.
Apple’s policy will affect any certificate issued after October 15th. It is not retroactive, so most people won’t need to worry about this until the next time they’re renewing. It’s also important to point out that Certificate Transparency is only something the industry itself needs to worry about. End users are not required to take any action. Most CAs have already begun, or at least announced plans to begin loggin all SSL/TLS certificates. Any SSL/TLS certificate that isn’t logged will likely be regarded as a mis-issuance.
Facebook has launched a very user-friendly way to look through the CT logs if you’re so inclined.
As always, leave any questions or comments below.