Chrome Delays Certificate Transparency Requirement to 2018
Google moves the certificate transparency requirement back to 2018.
Google’s Certificate Transparency (CT) project promises to be one of the most significant improvements to the SSL ecosystem of all time (yes, seriously, it’s that good).
But as the old adage says, good things takes time. While Certificate Transparency is up and running now, it’s optional for the majority of CAs. This means that CT can’t provide its full benefits because it can’t yet know about all certificates being issued.
Google’s Chrome browser will fix that by making CT logging a mandatory requirement for all SSL certificates that want to be trusted. But the date for mandatory Certificate Transparency compliance has been pushed back 6 months – from October of this year to April 2018. Google announced this news a few weeks back at the end of April.
The announcement came after Google hosted “CT Days” – a two days conference for CAs, CDNs, log operators, and anyone else involved with or affected by Certificate transparency. What they learned from that conference was that more time was needed to make sure everything was totally ready for an ecosystem-wide rollout.
Ryan Sleevi, one of Chrome’s engineers, noted that with the additional six months they hope to see “a deployment that helps protect other browsers’ users in addition to Chrome.” Last year Firefox announced they would be supporting CT, but have not yet committed to an enforcement date.
Chrome is also working on implementing a new HTTP header, expect-ct, which will allow server operators to test that their configurations and certificates are properly set up ahead of the deadline.
It’s undeniable that Certificate Transparency is a major change to the SSL ecosystem – this poses both technical challenges and, for the enterprise sector, concern over the idea that all their certificates will be publicly available.
For instance, earlier this year, the east coast outage of Amazon’s S3 cloud service caused Venafi’s log to fail – demonstrating just how demanding it can be to reliably run a log. Meanwhile the IETF is still finalizing some standards work.
There are also some ‘privacy concerns,’ particularly from the enterprise sector, that having their hostnames publicly known poses a security and privacy risk. There continues to be debate over ‘name redaction’ – which would allow partial censoring of the hostname in CT logs. Google has remained skeptical about most of these concerns, as do I, chalking it up to outdated threat models and fear of change, rather than legitimate risks.
But there is no doubt that Certificate Transparency will bring huge benefits to the ecosystem. Even now, with only partial logging, CT has already caught a number of issues.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown