Skip to main content
banner image
venafi logo

Venafi Supports Google Certificate Transparency with CA-Agnostic Log and Monitor

Venafi Supports Google Certificate Transparency with CA-Agnostic Log and Monitor

generic_blog_banner_image
September 24, 2015 | Gavin Hill
Key Takeaways
  • Google Certificate Transparency provides safer internet browsing by allowing anyone to scrutinize the certificate issuance process.
  • Venafi supports Google Certificate Transparency (CT) with the Venafi CT log and CT monitor.
  • Venafi TrustNet uses Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet.

Venafi is proud to announce the availability of the Venafi CT log and CT monitor.

The Google Chrome browser requires public logging of Extended Validation (EV) SSL/TLS certificates as part of Google Certificate Transparency (CT). Any EV certificate issued after January 1, 2015 that is not logged with CT will cease to show the EV indicator “green bar” in the Chrome browser.

Google CT aims to stop unauthorized certificate issuance by providing the ability for anyone to scrutinize the issuance process. This is provided by three core components: the certificate log, a monitor, and an auditor.

A Growing Need

Cybercriminals and nation states have realized the value of misusing certificates—shown in certificate issuance practices being abused more and more frequently. Earlier this year, reports of a man-in-the-middle attack orchestrated by the China Internet Network Information Center (CNNIC) provide just one example of how certificate issuance can be used for nefarious purposes.

Google CT aims to provide safer internet browsing by detecting mis-issued certificates, malicious certificates, or rogue CAs within a few hours of conception. This is achieved due to the CT requirements that dictate how and where any certificate issued should be logged with Google CT.

Venafi Support for Google CT

Venafi is proud to announce support for Google CT with the Venafi CT log and CT monitor. As the Immune System for the Internet™, Venafi provides a CT log independent of any specific Certificate Authority (CA), welcoming any CA to publish to the Venafi CT log.

CT Log: Any CA wishing to be compliant with Google CT is required to publish certificates that they issue to at least three (3) logs. These logs are publicly auditable and cryptographically assured.   

Diagram of Venafi CT Log and Monitor

CT Monitor: Venafi also participates in the Google CT initiative by providing a monitor. Monitors watch logs for suspicious certificates and verify that all logged certificates are visible.

The Value of Google CT

Gartner got it right back in 2012 when they concluded that “no certificate can be blindly trusted.” In one good example of the value of Google CT, Google found an Extended Validation (EV) pre-certificate issued without Google’s authorization by Thawte CA. However, although CT identified the fraudulent certificate when Thawte issued the pre-certificate, CT identification is limited to the detection of certificate misuse at time of issuance only.   

Beyond Google CT

Because Venafi is CA-agnostic, providing a CT monitor allows Venafi to gain early visibility into certificate issuance practices across CAs. And Venafi TrustNet™ goes beyond certificate issuance information, using Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet throughout the certificate lifecycle.

In addition to the pre-certificate found by Google that was issued last week by Thawte, I decided to run a report utilizing Venafi TrustNet and found 20 other certificates issued to the google.com domain that are currently live and issued by some suspicious CAs that are not in the Google CT log.

To protect your organization’s brand from being misrepresented, Venafi TrustNet certificate reputation helps organizations detect and remediate certificate misuse at issuance and throughout the life of a certificate by evaluating the entire internet.  

How does your organization ensure no digital certificate is being used on the internet to misrepresent your brand?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

shutter

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

generic_blog_banner_image

Venafi at RSA 2016: Breaking Closed Systems with Code Signing

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat