Google will begin enforcing its Certificate Transparency initiative next October
Certificate Transparency (CT) is an initiative that aims to make the entire SSL ecosystem safer.
The initiative, which was originally proposed by Google, is designed to provide a greater deal of insight into the practices of Certificate Authorities (CAs). CAs are the companies that issue SSL Certificates. There are several guidelines and regulations – decided on by a group of CAs and Browsers called the CA/B Forum – that CAs must follow to be trusted by the browsers.
Compliance with Certificate Transparency appears to be on its way to becoming required for CAs to continue being trusted. Google engineer Ryan Sleevi recently announced his company’s intention to require CT on Google’s Chromium Forum:
“This is a significant step forward in the online trust ecosystem. The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy internet.”
With Mozilla’s recent announcement that Firefox would also begin supporting CT, another major domino has also fallen on the way to making CT an industry-wide requirement.
What is Certificate Transparency?
CT is a fully fleshed out technical mechanism in which CAs submit SSL Certificates that they have issued to public servers or logs, which can be monitored by public watchdogs, other CAs, browsers or just anyone with an interest and a little time on their hands.
The idea behind CT is that the logs will be monitored in order to quickly identify fraudulently issued certificates. That in turn will help to shine light on CAs that have been guilty of misconduct or that have been compromised. As with many things, the system becomes more effective as it becomes more widely used—this is why the browsers are moving towards making it mandatory. As more and more certificates are publicly logged, a greater degree of transparency becomes possible until everything is out in the open and nothing is hidden.
What is a Mis-Issuance?
Certificate mis-issuance is one of the biggest threats to the SSL ecosystem—a big enough mis-issuance, if left unchecked, could potentially crater the entire industry by severely damaging consumer trust. A mis-issuance occurs when a CA issues a certificate incorrectly, this usually means that the wrong party was issued the certificate. It can also mean that the certificate does not comply with industry standards (for instance, it is issued using the now-outmoded SHA-1 hashing algorithm).
Certificate Mis-Issuances occur for several reasons, a CA could be compromised, it could make a mistake or it could even be done on purpose to get around the regulations that have been put in place by the CA/B Forum.
CT is still a fairly new concept, but it’s already paying dividends. While a few CAs have voluntarily agreed to participate, others have been forced to comply with it after running afoul of the CA/B Forum (see Symantec). Already, CT has helped to identify multiples instances of mis-issuance, including the high-profile WoSign debacle, in which the Chinese CA was caught backdating certificates.
“The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs.”
Chrome Will Require CT in October of 2017
After introducing its Certificate Transparency initiative on a voluntary basis, Google is now ready to set a hard deadline after which CAs will be required to become compliant. It will become mandatory in October 2017.
As Sleevi wrote on Google’s Chromium forum:
The Chrome Team believes that the Certificate Transparency ecosystem has advanced sufficiently that October 2017 is an achievable and realistic goal for this requirement… Although the date is a year away, we encourage any participants that wish to have their use cases addressed to bring them forward as soon as possible during the next three months. This will ensure that the IETF, the CA/Browser Forum, and the broader community at large have ample time to discuss the challenges that may be faced, and find appropriate solutions for them. Such solutions may be though [sic] technical changes via the IETF or via policy means such as through the CA/Browser Forum or individual browsers’ root program requirements.
This is a major moment for the SSL Industry. Certificate Transparency has the ability to make the entire SSL Ecosystem safer and more transparent, and now that Google has set a hard deadline, and Mozilla has announced its intention to support the mechanism as well, CAs are going to be forced to comply.
Certificate Transparency, like SSL in general, is no longer going to be option in 2017. It’s now mandatory.