Only Certificate Authorities need to worry about Certificate Transparency
End users, resellers and enterprise clients don’t need to take any action for CT
One of the most common questions we’re getting about all of these Certificate Transparency announcements is: “what do I need to do comply with CT?”
If you’re not a Certificate Authority, the answer is: nothing.
The party responsible for logging the certificates is the issuing Certificate Authority. And when you think about it, that also makes the most sense. The CA has to handle validation and issue the certificate off its own PKI, it has the biggest vested interest in making sure that the certificate is trusted by browsers. After all, it doesn’t take too many mis-issuances to attract the attention of Google and Mozilla.
How does Certificate Transparency work?
To help you better understand why you don’t need to worry about Certificate Transparency unless you’re a Certificate Authority, let’s look at how it all works:
- The process begins when the CA creates a “pre-certificate.” This pre-certificate contains all the same information that will be included in the SSL certificate. It gets sent to the CA’s preferred CT log server at the outset of the process.
- The CT log server responds to the pre-certificate by returning a Signed Certificate Timestamp or SCT. You might have see SCT thrown around in relation to Certificate Transparency before. An SCT is essentially a tokenized promise to log the certificate within 24 hours of receipt. This is known as the Maximum Merge Delay (MMD).
- The CA takes the SCT and adds it to the body of the SSL certificate when it’s issued. That SCT serves a signal to the browsers that the certificate its attached to is published on a CT log. The SCT can be delivered three ways: via X509v3 extension, TLS extension or OCSP Stapling (see image below).
For the sake of better security, some browsers (like Apple’s Safari, for instance) will require SCTs from multiple CT logs in order to be trusted. This just means that the CA issuing the certificate has to send pre-certificates to multiple CT logs. So for instance, DigiCert may log a certificate it’s issuing on its own CT server, and then it may also send pre-certificates to Apple and Google for inclusion on their logs as well.
The CAs are the only ones required to do the logging?
Yes. There are, for all intents and purposes, two ways to log a certificate if we’re being honest. The alternative way is using web crawlers, which can see certificates and report them back to logs, too. The problem is crawlers can’t see everything on the web so you would never get a complete picture.
Certificate Transparency has long been a Google initiative, and with the entire internet moving towards HTTPS it makes sense to push for a system that requires greater accountability from issuing CAs—especially in light of some of the issues that have occurred over the past few years with CAs like WoSign and StartCom making egregious mistakes. Certificate Transparency provides a greater level of oversight, making it easier to detect mis-issuances and revoke them.
One of the biggest issues facing the SSL industry right now is the lack of a reliable revocation mechanism. Certificate Transparency doesn’t fix that entirely, but it’s certainly a step in the right direction.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown