SSL Certificate Transparency isn’t a new idea. In fact, it’s something that Google’s been trying to implement since around 2013. Recently, DigiCert released an article announcing that they will be submitting all newly issued and publicly trusted SSL certificates to Certificate Transparency logs by default from February 1, 2018.
DigiCert also points out that while they will be submitting all newly issued and publicly trusted certificates to CT logs, you can opt to not have your certificate logged using a newly developed feature (also available from February 1, 2018) that will be available to DigiCert customers through their CertCentral certificate management accounts.
SSL Certificate Transparency and not logging your certificates
While not logging your certificate/s is a choice, choosing not to do so will result in error messages for your website visitors from April, when Google Chrome begins enforcing CT compliance.
Why does Certificate Transparency matter?
Put simply, Google and other browsers think that the SSL certificate system contains several structural flaws which, if left unchecked, can allow hackers to perpetrate security attacks such as website spoofing (creating fake websites), server impersonation and man-in-the-middle attacks.
What is Certificate Transparency?
The flaw that Google sees in the SSL system is that there is no way for a browser to distinguish a legitimately issued SSL certificate from one issued to a fraudster.
Certificate Transparency was developed to address the structural flaws by making the issuance and existence of all certificates known via a public log.
Mini case study: DigiNotar shutdown after hack that led to certificate mis-issuance
On the 10th of July 2010, DigiNotar, a well-known Dutch CA, was hacked. During the incident, hackers issued out over 500 SSL certificates. Amongst these certificates was a wildcard certificate with the domain name *.google.com.
The certificate was then used to conduct a man-in-the-middle attack, with Google Services’ users in Iran being the intended victims.
The fraudulent certificate came to the attention of an Iranian internet user who noticed that it appeared to be untrusted on a site posing as Google’s Gmail service.
Gmail users were not affected due to an earlier security measure implemented by Google referred to as “built-in certificate pinning”.
Certificate pinning forces all access to Google Service to take place via HTTPS connections. It also presents users with security warnings that can’t simply be clicked-through.
In response, Google, Microsoft, Mozilla Firefox, Apple and Opera moved to blacklist DigiNotar roots in browsers (and operating systems), rendering associated SSL certificates untrusted. Soon after, the embattled CA filed for bankruptcy, leaving many of their customers stunned and feverishly searching for a better solution.
One of the biggest concerns surrounding the DigiNotar incident was their delayed action, as it took roughly a month for the CA to report that its network had been compromised. Another concern was that they were unable to confidently prove that all the mis-issued certificates had been revoked.
How does Certificate Transparency help my business?
With access to public logs of all certificates that have been issued under your company’s name, you’ll be able to spot certificates not ordered by you and possibly mis-issued and being used by fraudsters.
CT makes it possible for you to then contact your CA and have the bad certificates revoked immediately.
Does CT matter to my customers?
There’s a good chance that very few of your website visitors are aware of CT logging; nevertheless, failure to submit your SSL certificates for logging will result in website visitors receiving the dreaded “this website is not trusted” error message, which is never a good sign.
What about Symantec, Thawte, GeoTrust and RapidSSL branded certificates?
If you’re a customer with any of the above brands, there’s no need to take any action as your certificates have been logged by default and DigiCert’s announcement does not impact any of these products.
Where can I query the validity of certificate belonging to my organisation?
Tools like Crt.sh have been around for a while and allow the public to query certificate information using either a domain name, organisation name or a certificate public key.
SSL Certificate Transparency is an important step towards creating a safer internet. DigiCert’s compliance ahead of April, when Google begins enforcing CT compliance proves that DigiCert is doing their part to help make the web safer.
Beat Man-in-the-middle attacks with Strong SSL Encryption on your website
TrustTheSite.com is a platinum reseller of VeriSign, Thawte, GeoTrust, Comodo, RapidSSL and Digicert SSL certificates. We offer the best pricing backed by personalised client support.
Call us on +27 23 004 0196 for a free no obligation discussion about your business needs and we’ll help you find the right certificate for your brand.