Chrome Delays Certificate Transparency Requirement to 2018
Google moves the certificate transparency requirement back to 2018.
Google’s Certificate Transparency (CT) project promises to be one of the most significant improvements to the SSL ecosystem of all time (yes, seriously, it’s that good).
But as the old adage says, good things takes time. While Certificate Transparency is up and running now, it’s optional for the majority of CAs. This means that CT can’t provide its full benefits because it can’t yet know about all certificates being issued.
Google’s Chrome browser will fix that by making CT logging a mandatory requirement for all SSL certificates that want to be trusted. But the date for mandatory Certificate Transparency compliance has been pushed back 6 months – from October of this year to April 2018. Google announced this news a few weeks back at the end of April.
The announcement came after Google hosted “CT Days” – a two days conference for CAs, CDNs, log operators, and anyone else involved with or affected by Certificate transparency. What they learned from that conference was that more time was needed to make sure everything was totally ready for an ecosystem-wide rollout.
Ryan Sleevi, one of Chrome’s engineers, noted that with the additional six months they hope to see “a deployment that helps protect other browsers’ users in addition to Chrome.” Last year Firefox announced they would be supporting CT, but have not yet committed to an enforcement date.
Chrome is also working on implementing a new HTTP header, expect-ct, which will allow server operators to test that their configurations and certificates are properly set up ahead of the deadline.
It’s undeniable that Certificate Transparency is a major change to the SSL ecosystem – this poses both technical challenges and, for the enterprise sector, concern over the idea that all their certificates will be publicly available.
For instance, earlier this year, the east coast outage of Amazon’s S3 cloud service caused Venafi’s log to fail – demonstrating just how demanding it can be to reliably run a log. Meanwhile the IETF is still finalizing some standards work.
There are also some ‘privacy concerns,’ particularly from the enterprise sector, that having their hostnames publicly known poses a security and privacy risk. There continues to be debate over ‘name redaction’ – which would allow partial censoring of the hostname in CT logs. Google has remained skeptical about most of these concerns, as do I, chalking it up to outdated threat models and fear of change, rather than legitimate risks.
But there is no doubt that Certificate Transparency will bring huge benefits to the ecosystem. Even now, with only partial logging, CT has already caught a number of issues.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown