By
I have written quite a bit lately about what terrible things can happen when certificates are lost. People change domain names or stop using a domain name for their website or web application, but if the name is still on certificates which are being distributed through the internet, someone else can now have access to your encrypted traffic! Or if the certificates you use for your own organization come from a country you’re not in, that country’s law enforcement and intelligence can probably use a warrant on your certificate issuer to be able to decrypt your website’s traffic.
Organizations of all sizes need visibility of their own certificates, so they know what’s out there. But also, massive companies like Apple want better certificate transparency. They want to be better assured that entities using TLS/SSL certificates are who they say they are and do what they say they do.
Cybercriminals are phishing you with real TLS and SSL certificates. Find out how.
Apple announced their new Certificate Transparency (CT) policy, which will take effect on October 15, 2018. It will pertain to TLS/SSL encrypted internet traffic on Apple platforms. Those platforms include macOS, iOS, watchOS, and tvOS. iOS especially has a large market share. You probably want your business or organization’s websites and web apps to be usable on iPhones and MacBooks, right? So, this is what their new CT policy is:
“Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:
The table says that certificates with a lifetime of less than 15 months need two SCTs, 15 to 27 months needs three SCTs, 27 months to 39 months needs 4 SCTs, and certificate lifetimes of more than 39 months needs 5 SCTs.
Apple said they would release software updates soon. That means that once October 15 comes, if your TLS/SSL certificates aren’t transparent and timestamped according to their new policy, TLS attempts made with the Safari web browser or within iOS apps will fail and return an error message to your users.
Google and Mozilla have also supported certificate transparency for years. And Google took the first step in distrusting non-CT logged certificates. Google Chrome has been enforcing certificate transparency since July 2018 for most certificates.
In an earlier blog, Venafi outlined some of the reasons why major browsers are interested in requiring certificate transparency:
“CT responds to the threat of malicious websites using mistakenly issued certificates or certificates from a compromised CAs to prey upon users. In the past, users' browsers wouldn't detect anything wrong with such a certificate in these types of situations so long as the CA maintained good standing.”
Broderick Perelli-Harris, senior director of professional services for Venafi, feels certificate transparency is another step towards enforcing best practice for the CA industry. He reminds us why transparency is so important, “There have been plenty of recent cases of CA errors that impact businesses—and businesses are starting to wake up to the problem. 80 percent of businesses say they are worried about future CA incidents affecting their operations.”
Now is the time to doublecheck to make sure that the TLS/SSL certificates your organization deploys complies with Apple’s new policy. It takes a bit of preparation work, but hopefully policies like these will nudge TLS/SSL implementation in a more secure direction.
Learn more about machine identity protection. Explore now.
Related posts
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.