Questions about Certificate Transparency

What is Certificate Transparency?

Certificate Transparency (CT) is a project started by Google, aiming to eliminate various structural flaws in the SSL certificate system. CT allows anyone to detect SSL certificates that have been mistakenly issued by a Certificate Authority (CA), or maliciously acquired from an otherwise unimpeachable CA. Browsers, CAs and other parties can use CT (alongside other existing techniques) to confirm a certificate was correctly issued and thus enhance trust.

Why CT?

CT aims to make the issuance and existence of SSL certificates open and readily available information – transparent, if you will.

This lets CT serve as a “CA watchdog” to make sure that CAs are operating as expected, since CT makes it very difficult for a CA to issue a certificate without a domain owner’s knowledge. Web site owners can query CT servers to make certain that malicious parties did not issue any certificate for their web sites.

CT was created in an effort to strengthen overall Internet security by creating an open framework for monitoring the TLS/SSL certificate system. This transparency can help protect users and web sites from incorrect or fraudulent certificates.

How does CT work?

CAs publish certificates they issue in simple network services, called *Certificate Logs*. Certificate logs maintain cryptographically assured, publicly auditable, and append-only records of issued certificates. Anyone can query them or submit new information.

Essentially, when a CT log server receives a new certificate, it responds with a Signed Certificate Timestamp (SCT). This SCT is used as proof of the date of issuance, usually by attaching it to the issued certificate. (There’s more than one way to deliver SCTs – but that’s for a more detailed article.)

It’s important to note that a certificate is stored in a log forever – items can be added to a log fairly easily, but removal is impossible; even for expired certificates.

CT logs are periodically verified by independent CT services specified in the CT design, namely monitors (which keep an eye out for suspicious certificates) and auditors (which verify that logs are trustworthy). Monitors can be run by CAs or other third parties, while auditors are actually built into browsers.

Much more information about how CT works, can be found here.

When did CT happen?

Extended Validation (EV) certificates have been required to support CT since 2015, when Google imposed it for all such certificates.

CT has previously been applied to a few non-EV certificates as well – for instance, all certificates issued by Symantec since June 2016 have been required to utilize CT, due to problems they encountered.

Finally, Google started to enforce Certificate Transparency in Chrome for all certificates, including Domain Validation (DV) and Organization Validation (OV) in April 30 2018. Since then, all publicly trusted certificates are required to be associated with an SCT from a qualified CT log. A list of such qualified logs is maintained by Google here.

Any issues to be aware of?

Although CT can improve overall SSL/TLS security and trust, like any new technology it may has also incurred unintended consequences. CT logs can be viewed by anyone, including malicious attackers. Anyone can search through these logs for certificates protecting important Internet-facing domains, such as proxy servers, or VPN entry points. Thereby getting a glimpse of the network structure of other organizations.

This information is usually not enough to compromise an organization’s security posture, but it can provide leverage to an attacker, or an easier attack path into a network.

For sensitive applications where internal network structure must not be disclosed, SSL.com customers can:

  1. Obtain a wildcard domain (e.g. “*.example.com”) certificate, provided that they can demonstrate complete control over a domain, or
  2. Consider purchasing a privately-trusted PKI plan, since such PKIs are not obliged to adhere to CT.

If unsure, please contact an expert at support@ssl.com right now and discuss a PKI plan that satisfies your needs.

Will this affect how I get my certificate?

Not at all – as a customer, you will NOT need to do anything differently. CT happens ‘behind the scenes’ from a user’s perspective, and SSL.com (or our USERTrust partner) will perform all the required steps to ensure your certificate meets CT standards and performs as expected.

As always, if you have any questions please contact us at support@ssl.com or via live chat.