SSL Certificates will be publically logged to improve security.
Google’s Chrome team has announced that Certificate Transparency will become a mandatory requirement for all publicly trusted SSL Certificates in 2017.
In the announcement, Google’s Ryan Sleevi stated that “certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome.”
Certificates that do not comply will be treated as un-trusted in Chrome and present full-page errors, effectively becoming unusable for most cases.
This policy will only apply to new certificates issued from October 2017 onward, allowing existing certificates to continue working without any changes.
Certificate Transparency’s (CT) goal is to provide better insight into the practices of Certificate Authorities (CAs), which are the companies that issue SSL certificates. CT is an entire technical mechanism and process that involves submitting issued SSL certificates to servers operating as “logs,” which are publicly available for monitoring. Once the SSL certificates are logged, they can provide proof of this to browsers (and other clients).
The idea is that users and industry watchdogs will be able to monitor these CT logs and identify fraudulently issued certificates, allowing for discovery of CA misconduct or compromise – effectively shining a light on CAs’ actions. This system becomes more effective as a higher percentage of certificates are logged – if everything is publically logged then everything is illuminated, and nothing can be hidden.
Currently, certificate mis-issuance is a huge risk in Web PKI. Mis-issuance is when a CA issues a certificate improperly, usually meaning that the certificate was issued to an unauthorized person, or does not comply with industry standards. This can be a result of the CA being compromised by hackers, or through their own actions (in error, or in a purposeful attempt to circumvent the rules).
While CT is a relatively new system, it has already been widely used by CAs for months, and has helped spot multiple mis-issuances and failures (for example, during WoSign’s recent mis-issuance problems).
For those unfamiliar with CT, know that it has been, and will be, one of the most significant improvements to security and oversight in the industry in years. Sleevi wrote, “the use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance [sic], and importantly, gives new tools to mitigate the damage caused [by non-compliant CAs].”
As users of SSL certificates, there is not much to worry about here. Complying with Chrome’s policy and ‘participating’ in Certificate Transparency is the responsibility of the CA, not their customers.
From a technical standpoint, there are a number of ways to comply with CT logging, and every CA will need to implement the method that works best for them. It will be a major undertaking, rivaling the SHA-1 migration. While some CAs have been logging their certificates for months, many of the world’s CAs have not logged a single certificate.
Google has already required Certificate Transparency for EV SSL certificates but has allowed voluntary participation for all other types of certificates.
This announcement comes just days after one of Google’s own CT logs had a technical failure, causing them to break compliance with Chrome’s policies. There is an on-going discussion if the log should be “dis-trusted,” and therefore no longer be a valid source for CT information. This has highlighted the fact that there are still some open questions regarding policy and behavior, and is one of the reasons that Google has given a full years notice before enforcement.
Google originally made this announcement at the 39th meeting of the CA/Browser Forum, an industry group of Web Browsers and Certificate Authorities that sets standards for publically-issued SSL certificates. The meeting was held in Seattle, Washington.
Other browsers, like Mozilla’s Firefox, have not yet made any announcement that CT will be mandatory, but it is expected that they will.