Skip to main content
banner image
venafi logo

Google Chrome Now Requires CT Logging for All TLS Certificates

Google Chrome Now Requires CT Logging for All TLS Certificates

certificate transparency
May 3, 2018 | David Bisson

On 1 May, a mandate took effect for Google's Chrome web browser requiring that all newly issued TLS certificate authorities comply with the Chromium Certificate Transparency (CT) Policy. Under this enforcement, a website must make sure that its publicly trusted certificates issued by a certificate authority (CA) appear in a CT log. Otherwise, Chrome will present visitors with an error message warning them that the website is not CT-compliant and will prevent sub-resources served over HTTPS connections from loading properly.

Broderick Perelli-Harris, senior director of professional services for Venafi, feels that the mandate is a good decision on Google's part:

"This is a very welcome move from Google as it’s another step towards enforcing best practice for the CA industry. There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations. Google highlighting cases of mis-issuance will help companies protect themselves and their customers."

How some cybercriminals are bypassing CAs and getting TLS certificates on the Dark Web. Find out more. 

Google's enforcement begs the question: what is a CT log, and why would tech giants like Google be so interested in making sure that certificates are entered into them?

A CT log is a type of network service that keeps cryptographically assured records of digital certificates. CT logs are generally used to verify the status of certificates and to determine whether they are being misused. Certificate authorities account for most certificate submissions to Certificate Transparency logs, but technically anyone can make a submission. Any individual can also query a log for a cryptographic proof of a certificate.

Certificate logs are just one part of Certificate Transparency, an effort designed to help CAs and domain owners evaluate the validity and safety of their certificates. CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing. Furthermore, the absence of a mechanism for monitoring Secure Socket Layer (SSL)/Transport Layer Security (TLS) certificates in real-time made detection and revocation of these certificates difficult.

With the support of CAs, domain users, and browsers like Google, Certificate Transparency has created an open framework with three purposes in mind:

  • Raise the difficulty by which a CA could issue an SSL certificate for a domain without the domain owner learning of or gaining visibility into that certificate.
  • Provide an open system by which any domain owner or CA can review their certificates.
  • Protect users against certificates that someone maliciously or mistakenly issued.

To accomplish these aims, Certificate Transparency supports its logs with monitors and auditors. Monitors contact the log servers and watch for suspicious certificates, whereas auditors verify that logs are behaving correctly and consistently as well as confirm that a certificate appears in a log. While executing their separate functions, CT monitors and auditors also engage in "gossip," or shared communication with one another which helps them detect fraudulent certificates.

As a whole, Certificate Transparency—and CT logs, specifically—help make HTTPS connections more reliable and raise awareness of threats like website spoofing, server impersonation, and man-in-the-middle (MitM) attacks. But as Perelli-Harris notes, knowledge of a threat means little without the ability to defend against it.

“Companies need both a way to process the intelligence that CT is providing AND a way to respond to it—to actually take action to protect themselves. This is why businesses need to implement systems that help them maximize crypto-agility over security-critical machine identities, including SSL/TLS keys and certificates.”

With this perspective in mind, Venafi designed its TrustNet solution to use information gathered from the Google CT log and Venafi's sensor network to detect maliciously or mistakenly issued certificates. It also decided to set up its own CT log back in September 2015, an event which made Venafi the only non-browser vendor to set up a log.

To learn more about how Venafi uses the Google CT log in its solutions, click here.

Learn more about machine identity management. Explore now.

Related blogs


Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more