Venafi is proud to announce the availability of the Venafi CT log and CT monitor.
The Google Chrome browser requires public logging of Extended Validation (EV) SSL/TLS certificates as part of Google Certificate Transparency (CT). Any EV certificate issued after January 1, 2015 that is not logged with CT will cease to show the EV indicator “green bar” in the Chrome browser.
Google CT aims to stop unauthorized certificate issuance by providing the ability for anyone to scrutinize the issuance process. This is provided by three core components: the certificate log, a monitor, and an auditor.
A Growing Need
Cybercriminals and nation states have realized the value of misusing certificates—shown in certificate issuance practices being abused more and more frequently. Earlier this year, reports of a man-in-the-middle attack orchestrated by the China Internet Network Information Center (CNNIC) provide just one example of how certificate issuance can be used for nefarious purposes.
Google CT aims to provide safer internet browsing by detecting mis-issued certificates, malicious certificates, or rogue CAs within a few hours of conception. This is achieved due to the CT requirements that dictate how and where any certificate issued should be logged with Google CT.
Venafi Support for Google CT
Venafi is proud to announce support for Google CT with the Venafi CT log and CT monitor. Venafi provides a CT log independent of any specific Certificate Authority (CA), welcoming any CA to publish to the Venafi CT log.
CT Log: Any CA wishing to be compliant with Google CT is required to publish certificates that they issue to at least three (3) logs. These logs are publicly auditable and cryptographically assured.
CT Monitor: Venafi also participates in the Google CT initiative by providing a monitor. Monitors watch logs for suspicious certificates and verify that all logged certificates are visible.
The Value of Google CT
Gartner got it right back in 2012 when they concluded that “no certificate can be blindly trusted.” In one good example of the value of Google CT, Google found an Extended Validation (EV) pre-certificate issued without Google’s authorization by Thawte CA. However, although CT identified the fraudulent certificate when Thawte issued the pre-certificate, CT identification is limited to the detection of certificate misuse at time of issuance only.
Beyond Google CT
Because Venafi is CA-agnostic, providing a CT monitor allows Venafi to gain early visibility into certificate issuance practices across CAs. And Venafi TrustNet™ goes beyond certificate issuance information, using Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet throughout the certificate lifecycle.
In addition to the pre-certificate found by Google that was issued last week by Thawte, I decided to run a report utilizing Venafi TrustNet and found 20 other certificates issued to the google.com domain that are currently live and issued by some suspicious CAs that are not in the Google CT log.
To protect your organization’s brand from being misrepresented, Venafi TrustNet certificate reputation helps organizations detect and remediate certificate misuse at issuance and throughout the life of a certificate by evaluating the entire internet.
How does your organization ensure no digital certificate is being used on the internet to misrepresent your brand?