Google is making Certificate Transparency mandatory for its Chrome web browser by October 2017. Google software engineer Ryan Sleevi made the announcement in conjunction with the CA/Browser Forum that took place in Redmond, Washington last week.
The move is an attempt to reduce the number of domain certificates that are compromised and abused by hackers who are taking advantage of structural flaws in the certificate authority system, say experts. Those security flaws have allowed hackers to exploit holes in the certificate authority system and launch man-in-the-middle and website spoofing attacks.
Certificate Transparency is an open source framework developed by Google for monitoring and auditing domain certificates. The framework was proposed by Google in 2013 and has since has become an Internet Engineering Task Force open standard. After the October 2017 deadline all websites will be required to adopt the new Certificate Transparency standard.
Given current domain certificates have a maximum 39-month lifecycle, by 2020 all issued certificates will be logged and in compliance with the new Certificate Transparency (CT) standard, according to Doug Beattie, VP product management at GlobalSign.
Sleevi said the move is a significant step forward to building a trusted online ecosystem. “The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy Internet. The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to mis-issuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs,” Sleevi said online announcing the 2017 goal.
“The penalty for having an unqualified certificate is that Chrome doesn’t display the nice green banner that CT certificates generally have,” Beattie said. “What they are planning on doing in a year is marking all non-CT certificates as untrusted. That’s going to be a real motivator to get people to get certificates that are CT qualified.”
Once implemented, Certificate Transparency would only impact Google’s Chrome browser. When a Chrome user visited a website that didn’t use a CT cert, an “untrusted” alert would warn the visitor the domain could not be verified as having a known and registered owner.
“This will not impact Firefox, Safari or Edge browsers unless they implement some type of CT validation,” said Bruce Morton, director of certificate services with EnTrust. But, he said, with Chrome market share hovering at 60 percent, most mobile and desktop browser sessions will be impacted.
Experts say by tightening rules around certificates issued to websites, Google is hoping to reduce the number of certificate authorities that have been lax about whom they issue certificates to. In the past, a number of certificate authorities have issued certs to the wrong websites creating opportunities for criminals to spoof a domain certificate as part of a broader man-in-the-middle and website spoofing attacks.
The move has been viewed as a welcome improvement to the existing framework that can easily be abused by hackers, Morton said. Nevertheless, there have been some who have expressed hesitance when it comes to registering all their external and internal domain names inside one publicly accessible repository.
“One of the big issues of doing CT logging and the exposure of domain name information both outside and especially inside the enterprise,” Morton said. “Many of these companies would just assume keep this information private.”
Sleevi said Google is encouraging any certificate authority participants with concerns about the CT validation program to bring grievances forward as soon as possible during the next three months so the IETF and the CA/Browser Forum can address them.