The deadline was April 30th, but it won’t be enforced until July for most users
Last week we reported that all certificates issued after April 30, 2018 would need to be added to a Certificate Transparency log or users would receive a full-page interstitial warning when accessing a site secured with an unlogged certificate. And that was correct. This is a move that had been in the works for years (since CT logs were created, really) and Google even gave Certificate Authorities a one-year reprieve when it delayed its deadline last year.
Unfortunately, Google’s messaging on this issue has lacked much nuance, which left the rest of us to interpret. Case in point, the CT deadline has passed but Google will not begin enforcing it until July. Google also could have been more explicit that this only affects websites with certificates issued AFTER its deadline, meaning any certificate issued before April 30, 2018 is exempt. That’s led to headlines like this:
TechRepublic is an extremely respectable media outlet but this is 100% incorrect. Nobody has to log their own certificate post-issuance. That would be absurd. In fact, the blog post that this article is referring to (which is actually a forum post) even says as much (emphasis mine):
In version 68, Chrome will start enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted. Main page connections that are served over a non-compliant connection will display a full page warning, and sub-resources served over a non-compliant connection will fail to load.
And frankly, this falls on Google. The vast majority of people do not keep up with Google’s many blogs and follow its forum discussions. And that’s basically what you have to do in order to stay on top of this stuff. And the result of that MO is rampant misinformation.
So let’s clear everything up. The April 30, 2018 Certificate Transparency deadline was for Certificate Authorities. It’s an industry change, consumers don’t need to do anything. At this point, if a CA issues you an SSL certificate that isn’t logged, it’s basically a mis-issuance. And, if for some unfortunate reason, you do get issued an unlogged certificate, you have until the stable release of Chrome 68 in mid-to-late July before the majority of Chrome users will be affected by it. That gives you plenty of time to address the issue with your CA.
Chrome 67 and earlier
Chrome 68 Beta
~June 7, 2018
Chrome 68 Stable
~July 24, 2018
There’s also a way for you to check whether your certificate is logged and see if it will trigger any warning:
Site Operators and CAs that wish to test newly-issued certificates for compliance can do so beginning with Chrome 67. Site Operators that wish to simply check if their certificate is CT compliant can open Developer Tools. The Security panel will provide details about the connection and certificate, including whether or not the connection and certificate appropriately support Certificate Transparency. Alternatively, for Site Operators that would like to test non-compliant certificates being actively blocked, they can do so via command-line flags. To test, launch Chrome with the following command-line flags:
EnforceCTForNewCerts< EnforceCTTrial” --force-fieldtrials=” EnforceCTTrial/Group1” --force-fieldtrial-params=” EnforceCTTrial.Group1:date/152 5132800”
So everyone calm down. End users have nothing to worry about. CAs have had a couple of years to become CT compliant. The warnings won’t go into effect for most users until July. It’s going to be OK.
As always, leave any comments or questions below.