Skip to main content
banner image
venafi logo

Google Chrome Now Requires CT Logging for All TLS Certificates

Google Chrome Now Requires CT Logging for All TLS Certificates

certificate transparency
May 3, 2018 | David Bisson

On 1 May, a mandate took effect for Google's Chrome web browser requiring that all newly issued TLS certificate authorities comply with the Chromium Certificate Transparency (CT) Policy. Under this enforcement, a website must make sure that its publicly trusted certificates issued by a certificate authority (CA) appear in a CT log. Otherwise, Chrome will present visitors with an error message warning them that the website is not CT-compliant and will prevent sub-resources served over HTTPS connections from loading properly.

BroderickPerelli-Harris, senior director of professional services for Venafi, feels that the mandate is a good decision on Google's part:

"This is a very welcome move from Google as it’s another step towards enforcing best practice for the CA industry. There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations. Google highlighting cases of mis-issuance will help companies protect themselves and their customers."

Google's enforcement begs the question: what is a CT log, and why would tech giants like Google be so interested in making sure that certificates are entered into them?

A CT log is a type of network service that keeps cryptographically assured records of digital certificates. CT logs are generally used to verify the status of certificates and to determine whether they are being misused. Certificate authorities account for most certificate submissions to Certificate Transparency logs, but technically anyone can make a submission. Any individual can also query a log for a cryptographic proof of a certificate.

Certificate logs are just one part of Certificate Transparency, an effort designed to help CAs and domain owners evaluate the validity and safety of their certificates. CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing. Furthermore, the absence of a mechanism for monitoring Secure Socket Layer (SSL)/Transport Layer Security (TLS) certificates in real-time made detection and revocation of these certificates difficult.

With the support of CAs, domain users, and browsers like Google, Certificate Transparency has created an open framework with three purposes in mind:

  • Raise the difficulty by which a CA could issue an SSL certificate for a domain without the domain owner learning of or gaining visibility into that certificate.
  • Provide an open system by which any domain owner or CA can review their certificates.
  • Protect users against certificates that someone maliciously or mistakenly issued.

To accomplish these aims, Certificate Transparency supports its logs with monitors and auditors. Monitors contact the log servers and watch for suspicious certificates, whereas auditors verify that logs are behaving correctly and consistently as well as confirm that a certificate appears in a log. While executing their separate functions, CT monitors and auditors also engage in "gossip," or shared communication with one another which helps them detect fraudulent certificates.

As a whole, Certificate Transparency—and CT logs, specifically—help make HTTPS connections more reliable and raise awareness of threats like website spoofing, server impersonation, and man-in-the-middle (MitM) attacks. But as Perelli-Harris notes, knowledge of a threat means little without the ability to defend against it.

“Companies need both a way to process the intelligence that CT is providing AND a way to respond to it—to actually take action to protect themselves. This is why businesses need to implement systems that help them maximize crypto-agility over security-critical machine identities, including SSL/TLS keys and certificates.”

With this perspective in mind, Venafi designed its TrustNet solution to use information gathered from the Google CT log and Venafi's sensor network to detect maliciously or mistakenly issued certificates. It also decided to set up its own CT log back in September 2015, an event which made Venafi the only non-browser vendor to set up a log.

To learn more about how Venafi uses the Google CT log in its solutions, click here.

Related blogs

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat