{"id":4085,"date":"2017-05-12T16:27:02","date_gmt":"2017-05-12T20:27:02","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4085"},"modified":"2020-12-09T16:08:47","modified_gmt":"2020-12-09T21:08:47","slug":"certificate-transparency-requirement","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/certificate-transparency-requirement\/","title":{"rendered":"Chrome Delays Certificate Transparency Requirement to 2018"},"content":{"rendered":"

Google moves the certificate transparency requirement back to 2018.<\/h2>\n

Google\u2019s Certificate Transparency (CT) project<\/a> promises to be one of the most significant improvements to the SSL ecosystem of all time (yes, seriously, it\u2019s that good).<\/span><\/p>\n

But as the old adage says, good things takes time. While Certificate Transparency is up and running now, it\u2019s optional for the majority of CAs. This means that CT can\u2019t provide its full benefits because it can\u2019t yet know about all certificates being issued.<\/p>\n

Google\u2019s Chrome browser will fix that by making CT logging a mandatory requirement for all SSL certificates that want to be trusted. But the date for mandatory Certificate Transparency compliance has been pushed back 6 months \u2013 from October of this year to April 2018. Google announced this news a few weeks back at the end of April<\/a>.<\/p>\n

The announcement came after Google hosted \u201cCT Days\u201d \u2013 a two days conference for CAs, CDNs, log operators, and anyone else involved with or affected by Certificate transparency. What they learned from that conference was that more time was needed to make sure everything was totally ready for an ecosystem-wide rollout.<\/p>\n

Ryan Sleevi, one of Chrome\u2019s engineers, noted<\/a> that with the additional six months they hope to see \u201ca deployment that helps protect other browsers\u2019 users in addition to Chrome.\u201d Last year Firefox announced they would be supporting CT<\/a>, but have not yet committed to an enforcement date.<\/p>\n

Chrome is also working on implementing a new HTTP header, expect-ct<\/em>,<\/a> which will allow server operators to test that their configurations and certificates are properly set up ahead of the deadline.<\/p>\n

It\u2019s undeniable that Certificate Transparency is a major change to the SSL ecosystem \u2013 this poses both technical challenges and, for the enterprise sector, concern over the idea that all their certificates will be publicly available.<\/p>\n

For instance, earlier this year, the east coast outage of Amazon\u2019s S3 cloud service caused Venafi\u2019s log to fail<\/a> \u2013 demonstrating just how demanding it can be to reliably run a log. Meanwhile the IETF is still finalizing some standards work<\/a>.<\/p>\n

There are also some \u2018privacy concerns,\u2019 particularly from the enterprise sector, that having their hostnames publicly known poses a security and privacy risk. There continues to be debate over \u2018name redaction\u2019 \u2013 which would allow partial censoring of the hostname in CT logs. Google has remained skeptical about most of these concerns, as do I, chalking it up to outdated threat models and fear of change, rather than legitimate risks.<\/p>\n

But there is no doubt that Certificate Transparency will bring<\/a> huge benefits to the ecosystem. Even now, with only partial logging, CT has already caught<\/a> a number<\/a> of issues<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Google moves the certificate transparency requirement back to 2018. Google\u2019s Certificate Transparency (CT) project promises to be one of the most significant improvements to the SSL ecosystem of all time…<\/p>\n","protected":false},"author":2,"featured_media":4087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[187,131,155,467],"class_list":["post-4085","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-certificate-transparency","tag-google","tag-google-chrome","tag-ssltls","post-with-tags"],"views":10565,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/iStock-647355566.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4085"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4085\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4087"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}