Mozilla has made a big announcement: \u201cCT is coming to Firefox.\u201d Certificate Transparency, abbreviated as CT, is an incredibly important tool for improving safety for publicly-trusted SSL certificates.<\/p>\n
So far, all Mozilla has said is that Firefox will support Certificate Transparency. Its actual policy \u2013 including the criteria for log inclusion, and if\/when SSL certificates will need to support CT \u2013 has not been formed.<\/p>\n
Google, whose engineers invented Certificate Transparency, recently made a major announcement: A year from now (October 2017), Chrome will be requiring all SSL certificates support CT<\/a>. Chrome has supported, but in most cases not required, CT for over a year. Other browsers have yet to do so because the system was still being perfected.<\/p>\n For those who are unfamiliar, Certificate Transparency is a new-ish addition to our industry. It is a system where Certificates Authorities (CAs) submit their issued certificates to publicly-searchable servers known as \u201clogs.\u201d These logs provide a way for anyone to search for and monitor issued certificates. As the name suggests, the goal is to provide transparency into a CA\u2019s issuance practices.<\/p>\n It is important to know what certificates are being issued because it allows the community \u2013 including users and software that relies on publicly-trusted SSL (web browsers) \u2013 to spot non-compliance and mis-issuance. CT has already been used to spot multiple cases of CA malfeasance and has helped strengthen the security of Web PKI (the formal name for the entire system that comprises CAs and publicly-trusted SSL Certificates).<\/p>\n Without CT, the only way to know what certificates a CA is issuing is to stumble across them on the internet. Projects like censys.io<\/a> have collected millions of certificates by conducting internet-wide scans of servers, but that method will always be incomplete. By getting the information directly from the source (the CAs themselves), CT provides better oversight.<\/p>\n<\/span><\/span>\n The Certificate Transparency system is very similar to the CA system. CT logs can be operated by anyone (like CAs), and those logs can be valid sources for browsers provided they follow the necessary policies and practices (like Root Programs).<\/p>\n Mozilla is known for running an extremely transparent Root Program. It operates the program publicly on its\u00a0mozilla.dev.security.policy mailing list<\/a> and on the Bugzilla bug-tracking site<\/a>. Recent incidents, like the discussion of how to respond to WoSign\u2019s mis-issuances, received over 400 comments.<\/p>\n Gervase Markham, a member of Mozilla\u2019s CA team who started the discussion topic about Certificate Transparency, said at this point Mozilla is\u00a0trying \u201cto work out the scope of the policy, not what the policy will be.\u201d<\/p>\n