On 1 May, a mandate took effect for Google's Chrome web browser requiring that all newly issued TLS certificate authorities comply with the Chromium Certificate Transparency (CT) Policy. Under this enforcement, a website must make sure that its publicly trusted certificates issued by a certificate authority (CA) appear in a CT log. Otherwise, Chrome will present visitors with an error message warning them that the website is not CT-compliant and will prevent sub-resources served over HTTPS connections from loading properly.
Broderick Perelli-Harris, senior director of professional services for Venafi, feels that the mandate is a good decision on Google's part:
"This is a very welcome move from Google as it’s another step towards enforcing best practice for the CA industry. There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations. Google highlighting cases of mis-issuance will help companies protect themselves and their customers."
Google's enforcement begs the question: what is a CT log, and why would tech giants like Google be so interested in making sure that certificates are entered into them?
A CT log is a type of network service that keeps cryptographically assured records of digital certificates. CT logs are generally used to verify the status of certificates and to determine whether they are being misused. Certificate authorities account for most certificate submissions to Certificate Transparency logs, but technically anyone can make a submission. Any individual can also query a log for a cryptographic proof of a certificate.
Certificate logs are just one part of Certificate Transparency, an effort designed to help CAs and domain owners evaluate the validity and safety of their certificates. CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing. Furthermore, the absence of a mechanism for monitoring Secure Socket Layer (SSL)/Transport Layer Security (TLS) certificates in real-time made detection and revocation of these certificates difficult.
- Raise the difficulty by which a CA could issue an SSL certificate for a domain without the domain owner learning of or gaining visibility into that certificate.
- Provide an open system by which any domain owner or CA can review their certificates.
- Protect users against certificates that someone maliciously or mistakenly issued.
To accomplish these aims, Certificate Transparency supports its logs with monitors and auditors. Monitors contact the log servers and watch for suspicious certificates, whereas auditors verify that logs are behaving correctly and consistently as well as confirm that a certificate appears in a log. While executing their separate functions, CT monitors and auditors also engage in "gossip," or shared communication with one another which helps them detect fraudulent certificates.
As a whole, Certificate Transparency—and CT logs, specifically—help make HTTPS connections more reliable and raise awareness of threats like website spoofing, server impersonation, and man-in-the-middle (MitM) attacks. But as Perelli-Harris notes, knowledge of a threat means little without the ability to defend against it.
“Companies need both a way to process the intelligence that CT is providing AND a way to respond to it—to actually take action to protect themselves. This is why businesses need to implement systems that help them maximize crypto-agility over security-critical machine identities, including SSL/TLS keys and certificates.”
With this perspective in mind, Venafi decided to set up its own CT log back in September 2015, an event which made Venafi the only non-browser vendor to set up a log.