I have written quite a bit lately about what terrible things can happen when certificates are lost. People change domain names or stop using a domain name for their website or web application, but if the name is still on certificates which are being distributed through the internet, someone else can now have access to your encrypted traffic! Or if the certificates you use for your own organization come from a country you’re not in, that country’s law enforcement and intelligence can probably use a warrant on your certificate issuer to be able to decrypt your website’s traffic.
Organizations of all sizes need visibility of their own certificates, so they know what’s out there. But also, massive companies like Apple want better certificate transparency. They want to be better assured that entities using TLS/SSL certificates are who they say they are and do what they say they do.
Apple announced their new Certificate Transparency (CT) policy, which will take effect on October 15, 2018. It will pertain to TLS/SSL encrypted internet traffic on Apple platforms. Those platforms include macOS, iOS, watchOS, and tvOS. iOS especially has a large market share. You probably want your business or organization’s websites and web apps to be usable on iPhones and MacBooks, right? So, this is what their new CT policy is:
“Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:
- At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
- At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.
The table says that certificates with a lifetime of less than 15 months need two SCTs, 15 to 27 months needs three SCTs, 27 months to 39 months needs 4 SCTs, and certificate lifetimes of more than 39 months needs 5 SCTs.
Apple said they would release software updates soon. That means that once October 15 comes, if your TLS/SSL certificates aren’t transparent and timestamped according to their new policy, TLS attempts made with the Safari web browser or within iOS apps will fail and return an error message to your users.
Google and Mozilla have also supported certificate transparency for years. And Google took the first step in distrusting non-CT logged certificates. Google Chrome has been enforcing certificate transparency since July 2018 for most certificates.
In an earlier blog, Venafi outlined some of the reasons why major browsers are interested in requiring certificate transparency:
“CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing.”
Broderick Perelli-Harris, senior director of professional services for Venafi, feels certificate transparency is another step towards enforcing best practice for the CA industry. He reminds us why transparency is so important, “There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations.”
Now is the time to doublecheck to make sure that the TLS/SSL certificates your organization deploys complies with Apple’s new policy. It takes a bit of preparation work, but hopefully policies like these will nudge TLS/SSL implementation in a more secure direction.