Google moves the certificate transparency requirement back to 2018.
Google’s Certificate Transparency (CT) project promises to be one of the most significant improvements to the SSL ecosystem of all time (yes, seriously, it’s that good).
But as the old adage says, good things takes time. While Certificate Transparency is up and running now, it’s optional for the majority of CAs. This means that CT can’t provide its full benefits because it can’t yet know about all certificates being issued.
Google’s Chrome browser will fix that by making CT logging a mandatory requirement for all SSL certificates that want to be trusted. But the date for mandatory Certificate Transparency compliance has been pushed back 6 months – from October of this year to April 2018. Google announced this news a few weeks back at the end of April.
The announcement came after Google hosted “CT Days” – a two days conference for CAs, CDNs, log operators, and anyone else involved with or affected by Certificate transparency. What they learned from that conference was that more time was needed to make sure everything was totally ready for an ecosystem-wide rollout.
Ryan Sleevi, one of Chrome’s engineers, noted that with the additional six months they hope to see “a deployment that helps protect other browsers’ users in addition to Chrome.” Last year Firefox announced they would be supporting CT, but have not yet committed to an enforcement date.
Chrome is also working on implementing a new HTTP header, expect-ct, which will allow server operators to test that their configurations and certificates are properly set up ahead of the deadline.
It’s undeniable that Certificate Transparency is a major change to the SSL ecosystem – this poses both technical challenges and, for the enterprise sector, concern over the idea that all their certificates will be publicly available.
For instance, earlier this year, the east coast outage of Amazon’s S3 cloud service caused Venafi’s log to fail – demonstrating just how demanding it can be to reliably run a log. Meanwhile the IETF is still finalizing some standards work.
There are also some ‘privacy concerns,’ particularly from the enterprise sector, that having their hostnames publicly known poses a security and privacy risk. There continues to be debate over ‘name redaction’ – which would allow partial censoring of the hostname in CT logs. Google has remained skeptical about most of these concerns, as do I, chalking it up to outdated threat models and fear of change, rather than legitimate risks.