Google requires Certificate Transparency

13 December 2016

Google recently announced they will make Certificate Transparency mandatory from October 2017. SSL certificates issued after this date have to comply to the Certificate Transparancy demands, otherwise they will be displayed as untrustworthy.

Certificate Transparency

What is Certificate Transparency?

Certificate Transparency is an open source system that registers SSL certificates and was developed by Google since 2013. In the classic PKI model the Certificate Authorities provide the status information about the validaty of SSL certificates via CRL and OCSP. As has been shown in the past this system isn't 100% foolproof, therefore Google decided to develop their own control mechanism to reduce the abuse of SSL certificates. A well known example is DigiNotar, whereby trusted certificates were secretely issued to domains from i.a. Gmail from Google. Because this wasn't detected, the falseley issued SSL certificates were trusted by all browsers. Back then Google already kept a list of details about which certificate was used and for which website it was used, for their own domains. Hereby they discovered the false Gmail certificate very quickly. To prevent these kind of incidents in the future they started to implement this feature (or list) in their Chrome browser. By now they say the system is sufficiently developed for a large-scale roll-out.

Current situation

Since January 2015 EV certificates from al CA's are included in the Certificate Transparency (CT) logs. If an EV certificate isn't registerd in a CT log, Chrome doesn't show the green addres bar for this certificate. Additionally, all certificates issued by Symantec are added to the CT logs. This applies to the brand Symantec, GeoTrust and Thawte, also for the certificates without green address bar. This is caused by the incident where Symantec issued valid certificates for internal test purposes, using public domains from Google services. In response Google compelled Symantec to register al her SSL certificates in the CT logs.

What will change exactly?

From October 2017 they go one step further: From this date all SSL certificates have to be found on the Transparency log. This also applies to certificates with domain- and organisation validation. This announcement was made at the end of October, and then communicated in the CA/Browser Forum, the consultative body for CA's and browser manufacturers. This obligation means that from October 2017 all Certificate Authorities have to register all certificates they issue in the CT logs, enabling Chrome to validate the integrity of the certificates. Adding certificates to the CT logs is performed by the Certificate Authority, so there's no action required from endusers or certificate owners.

Why these changes?

A more secure internet is one of Google's priorities for quite some time now. On the one hand they stimulate the use of SSL certificates: Since a few years using HTTPS on the whole website is a rankingfactor in Google Search, from January 2017 they will start warning for websites without HTPPS, and after extended research they clarified the security indicators in the browser. On the other hand they try to make the SSL certificate system more secure with initiatives like Certificate Transparency.

point up