Skip to main content
banner image
venafi logo

Apple Joins Google in Requiring Certificate Transparency

Apple Joins Google in Requiring Certificate Transparency

apple certificate transparency
September 27, 2018 | Guest Blogger: Kim Crawley

I have written quite a bit lately about what terrible things can happen when certificates are lost. People change domain names or stop using a domain name for their website or web application, but if the name is still on certificates which are being distributed through the internet, someone else can now have access to your encrypted traffic! Or if the certificates you use for your own organization come from a country you’re not in, that country’s law enforcement and intelligence can probably use a warrant on your certificate issuer to be able to decrypt your website’s traffic.

Organizations of all sizes need visibility of their own certificates, so they know what’s out there. But also, massive companies like Apple want better certificate transparency. They want to be better assured that entities using TLS/SSL certificates are who they say they are and do what they say they do.

Cybercriminals are phishing you with real TLS and SSL certificates. Find out how.

Apple announced their new Certificate Transparency (CT) policy, which will take effect on October 15, 2018. It will pertain to TLS/SSL encrypted internet traffic on Apple platforms. Those platforms include macOS, iOS, watchOS, and tvOS. iOS especially has a large market share. You probably want your business or organization’s websites and web apps to be usable on iPhones and MacBooks, right? So, this is what their new CT policy is:

“Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:

  • At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
  • At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.

The table says that certificates with a lifetime of less than 15 months need two SCTs, 15 to 27 months needs three SCTs, 27 months to 39 months needs 4 SCTs, and certificate lifetimes of more than 39 months needs 5 SCTs.

Apple said they would release software updates soon. That means that once October 15 comes, if your TLS/SSL certificates aren’t transparent and timestamped according to their new policy, TLS attempts made with the Safari web browser or within iOS apps will fail and return an error message to your users.

Google and Mozilla have also supported certificate transparency for years. And Google took the first step in distrusting non-CT logged certificates. Google Chrome has been enforcing certificate transparency since July 2018 for most certificates.

In an earlier blog, Venafi outlined some of the reasons why major browsers are interested in requiring certificate transparency:

“CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing.”

Broderick Perelli-Harris, senior director of professional services for Venafi, feels certificate transparency is another step towards enforcing best practice for the CA industry. He reminds us why transparency is so important, “There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations.”

Now is the time to doublecheck to make sure that the TLS/SSL certificates your organization deploys complies with Apple’s new policy. It takes a bit of preparation work, but hopefully policies like these will nudge TLS/SSL implementation in a more secure direction.

Learn more about machine identity protection. Explore now.

Related posts

Like this blog? We think you will love this.
TCP fast open and TLS handshake
Featured Blog

Does TCP Fast Open Improve TLS handshakes?

What is TCP Fast Open?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more