Just Kidding: Google isn’t Enforcing Certificate Transparency until Chrome 68
The deadline was April 30th, but it won’t be enforced until July for most users
Last week we reported that all certificates issued after April 30, 2018 would need to be added to a Certificate Transparency log or users would receive a full-page interstitial warning when accessing a site secured with an unlogged certificate. And that was correct. This is a move that had been in the works for years (since CT logs were created, really) and Google even gave Certificate Authorities a one-year reprieve when it delayed its deadline last year.
Unfortunately, Google’s messaging on this issue has lacked much nuance, which left the rest of us to interpret. Case in point, the CT deadline has passed but Google will not begin enforcing it until July. Google also could have been more explicit that this only affects websites with certificates issued AFTER its deadline, meaning any certificate issued before April 30, 2018 is exempt. That’s led to headlines like this:
TechRepublic is an extremely respectable media outlet but this is 100% incorrect. Nobody has to log their own certificate post-issuance. That would be absurd. In fact, the blog post that this article is referring to (which is actually a forum post) even says as much (emphasis mine):
In version 68, Chrome will start enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted. Main page connections that are served over a non-compliant connection will display a full page warning, and sub-resources served over a non-compliant connection will fail to load.
And frankly, this falls on Google. The vast majority of people do not keep up with Google’s many blogs and follow its forum discussions. And that’s basically what you have to do in order to stay on top of this stuff. And the result of that MO is rampant misinformation.
So let’s clear everything up. The April 30, 2018 Certificate Transparency deadline was for Certificate Authorities. It’s an industry change, consumers don’t need to do anything. At this point, if a CA issues you an SSL certificate that isn’t logged, it’s basically a mis-issuance. And, if for some unfortunate reason, you do get issued an unlogged certificate, you have until the stable release of Chrome 68 in mid-to-late July before the majority of Chrome users will be affected by it. That gives you plenty of time to address the issue with your CA.
Release Channel |
Approximate Date |
Chrome 67 and earlier |
Not Impacted |
Chrome 68 Beta |
~June 7, 2018 |
Chrome 68 Stable |
~July 24, 2018 |
There’s also a way for you to check whether your certificate is logged and see if it will trigger any warning:
Site Operators and CAs that wish to test newly-issued certificates for compliance can do so beginning with Chrome 67. Site Operators that wish to simply check if their certificate is CT compliant can open Developer Tools. The Security panel will provide details about the connection and certificate, including whether or not the connection and certificate appropriately support Certificate Transparency. Alternatively, for Site Operators that would like to test non-compliant certificates being actively blocked, they can do so via command-line flags. To test, launch Chrome with the following command-line flags:
--enable-features=”EnforceCTForNewCerts< EnforceCTTrial” --force-fieldtrials=” EnforceCTTrial/Group1” --force-fieldtrial-params=” EnforceCTTrial.Group1:date/152 5132800”
So everyone calm down. End users have nothing to worry about. CAs have had a couple of years to become CT compliant. The warnings won’t go into effect for most users until July. It’s going to be OK.
As always, leave any comments or questions below.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown