Just Kidding: Google isn’t Enforcing Certificate Transparency until Chrome 68
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Just Kidding: Google isn’t Enforcing Certificate Transparency until Chrome 68

The deadline was April 30th, but it won’t be enforced until July for most users

Last week we reported that all certificates issued after April 30, 2018 would need to be added to a Certificate Transparency log or users would receive a full-page interstitial warning when accessing a site secured with an unlogged certificate. And that was correct. This is a move that had been in the works for years (since CT logs were created, really) and Google even gave Certificate Authorities a one-year reprieve when it delayed its deadline last year.

Unfortunately, Google’s messaging on this issue has lacked much nuance, which left the rest of us to interpret. Case in point, the CT deadline has passed but Google will not begin enforcing it until July. Google also could have been more explicit that this only affects websites with certificates issued AFTER its deadline, meaning any certificate issued before April 30, 2018 is exempt. That’s led to headlines like this:

Google CT Enforcement

TechRepublic is an extremely respectable media outlet but this is 100% incorrect. Nobody has to log their own certificate post-issuance. That would be absurd. In fact, the blog post that this article is referring to (which is actually a forum post) even says as much (emphasis mine):

In version 68, Chrome will start enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted. Main page connections that are served over a non-compliant connection will display a full page warning, and sub-resources served over a non-compliant connection will fail to load.

And frankly, this falls on Google. The vast majority of people do not keep up with Google’s many blogs and follow its forum discussions. And that’s basically what you have to do in order to stay on top of this stuff. And the result of that MO is rampant misinformation.

So let’s clear everything up. The April 30, 2018 Certificate Transparency deadline was for Certificate Authorities. It’s an industry change, consumers don’t need to do anything. At this point, if a CA issues you an SSL certificate that isn’t logged, it’s basically a mis-issuance. And, if for some unfortunate reason, you do get issued an unlogged certificate, you have until the stable release of Chrome 68 in mid-to-late July before the majority of Chrome users will be affected by it. That gives you plenty of time to address the issue with your CA.

Release Channel

Approximate Date

Chrome 67 and earlier

Not Impacted

Chrome 68 Beta

~June 7, 2018

Chrome 68 Stable

~July 24, 2018

There’s also a way for you to check whether your certificate is logged and see if it will trigger any warning:

Site Operators and CAs that wish to test newly-issued certificates for compliance can do so beginning with Chrome 67. Site Operators that wish to simply check if their certificate is CT compliant can open Developer Tools. The Security panel will provide details about the connection and certificate, including whether or not the connection and certificate appropriately support Certificate Transparency. Alternatively, for Site Operators that would like to test non-compliant certificates being actively blocked, they can do so via command-line flags. To test, launch Chrome with the following command-line flags:

--enable-features=”EnforceCTForNewCerts<EnforceCTTrial” --force-fieldtrials=”EnforceCTTrial/Group1” --force-fieldtrial-params=”EnforceCTTrial.Group1:date/1525132800”

So everyone calm down. End users have nothing to worry about. CAs have had a couple of years to become CT compliant. The warnings won’t go into effect for most users until July. It’s going to be OK.

As always, leave any comments or questions below.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.