Certificate Transparency just took a huge step forward.
Mozilla has made a big announcement: “CT is coming to Firefox.” Certificate Transparency, abbreviated as CT, is an incredibly important tool for improving safety for publicly-trusted SSL certificates.
So far, all Mozilla has said is that Firefox will support Certificate Transparency. Its actual policy – including the criteria for log inclusion, and if/when SSL certificates will need to support CT – has not been formed.
Google, whose engineers invented Certificate Transparency, recently made a major announcement: A year from now (October 2017), Chrome will be requiring all SSL certificates support CT. Chrome has supported, but in most cases not required, CT for over a year. Other browsers have yet to do so because the system was still being perfected.
For those who are unfamiliar, Certificate Transparency is a new-ish addition to our industry. It is a system where Certificates Authorities (CAs) submit their issued certificates to publicly-searchable servers known as “logs.” These logs provide a way for anyone to search for and monitor issued certificates. As the name suggests, the goal is to provide transparency into a CA’s issuance practices.
It is important to know what certificates are being issued because it allows the community – including users and software that relies on publicly-trusted SSL (web browsers) – to spot non-compliance and mis-issuance. CT has already been used to spot multiple cases of CA malfeasance and has helped strengthen the security of Web PKI (the formal name for the entire system that comprises CAs and publicly-trusted SSL Certificates).
Without CT, the only way to know what certificates a CA is issuing is to stumble across them on the internet. Projects like censys.io have collected millions of certificates by conducting internet-wide scans of servers, but that method will always be incomplete. By getting the information directly from the source (the CAs themselves), CT provides better oversight.
The Certificate Transparency system is very similar to the CA system. CT logs can be operated by anyone (like CAs), and those logs can be valid sources for browsers provided they follow the necessary policies and practices (like Root Programs).
Mozilla is known for running an extremely transparent Root Program. It operates the program publicly on its mozilla.dev.security.policy mailing list and on the Bugzilla bug-tracking site. Recent incidents, like the discussion of how to respond to WoSign’s mis-issuances, received over 400 comments.
Gervase Markham, a member of Mozilla’s CA team who started the discussion topic about Certificate Transparency, said at this point Mozilla is trying “to work out the scope of the policy, not what the policy will be.”
If you have any thoughts on what Mozilla should consider, you can share them in the discussion thread.