![A Look at 30 Key Cyber Crime Statistics [2023 Data Update]](https://www.thesslstore.com/blog/wp-content/uploads/2022/02/cyber-crime-statistics-feature2-75x94.jpg)
(No Ratings Yet)
Loading...Google Chrome to Require Certificate Transparency in 2017
SSL Certificates will be publically logged to improve security.
Google’s Chrome team has announced that Certificate Transparency will become a mandatory requirement for all publicly trusted SSL Certificates in 2017.
In the announcement, Google’s Ryan Sleevi stated that “certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome.”
Certificates that do not comply will be treated as un-trusted in Chrome and present full-page errors, effectively becoming unusable for most cases.
This policy will only apply to new certificates issued from October 2017 onward, allowing existing certificates to continue working without any changes.
Certificate Transparency’s (CT) goal is to provide better insight into the practices of Certificate Authorities (CAs), which are the companies that issue SSL certificates. CT is an entire technical mechanism and process that involves submitting issued SSL certificates to servers operating as “logs,” which are publicly available for monitoring. Once the SSL certificates are logged, they can provide proof of this to browsers (and other clients).
The idea is that users and industry watchdogs will be able to monitor these CT logs and identify fraudulently issued certificates, allowing for discovery of CA misconduct or compromise – effectively shining a light on CAs’ actions. This system becomes more effective as a higher percentage of certificates are logged – if everything is publically logged then everything is illuminated, and nothing can be hidden.
Currently, certificate mis-issuance is a huge risk in Web PKI. Mis-issuance is when a CA issues a certificate improperly, usually meaning that the certificate was issued to an unauthorized person, or does not comply with industry standards. This can be a result of the CA being compromised by hackers, or through their own actions (in error, or in a purposeful attempt to circumvent the rules).
While CT is a relatively new system, it has already been widely used by CAs for months, and has helped spot multiple mis-issuances and failures (for example, during WoSign’s recent mis-issuance problems).
For those unfamiliar with CT, know that it has been, and will be, one of the most significant improvements to security and oversight in the industry in years. Sleevi wrote, “the use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance [sic], and importantly, gives new tools to mitigate the damage caused [by non-compliant CAs].”
As users of SSL certificates, there is not much to worry about here. Complying with Chrome’s policy and ‘participating’ in Certificate Transparency is the responsibility of the CA, not their customers.
From a technical standpoint, there are a number of ways to comply with CT logging, and every CA will need to implement the method that works best for them. It will be a major undertaking, rivaling the SHA-1 migration. While some CAs have been logging their certificates for months, many of the world’s CAs have not logged a single certificate.
Google has already required Certificate Transparency for EV SSL certificates but has allowed voluntary participation for all other types of certificates.
This announcement comes just days after one of Google’s own CT logs had a technical failure, causing them to break compliance with Chrome’s policies. There is an on-going discussion if the log should be “dis-trusted,” and therefore no longer be a valid source for CT information. This has highlighted the fact that there are still some open questions regarding policy and behavior, and is one of the reasons that Google has given a full years notice before enforcement.
Google originally made this announcement at the 39th meeting of the CA/Browser Forum, an industry group of Web Browsers and Certificate Authorities that sets standards for publically-issued SSL certificates. The meeting was held in Seattle, Washington.
Other browsers, like Mozilla’s Firefox, have not yet made any announcement that CT will be mandatory, but it is expected that they will.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown