SSL certificate transparency is a big deal as it addresses the growing SSL industry certificate mis-issuance problem. For Certification Authorities (CAs), certificate mis-issuance is one of the biggest challenges they face today and can happen for a number of reasons, each with the devastating effect of leaving certificate owners helpless.
One such event took place back on the 10th of July in 2010. DigiNotar, a well-known Dutch CA, was hacked. During the incident, hackers issued out over 500 SSL certificates. Amongst these certificates was a wildcard certificate with the domain name *.google.com. The certificate was then used to conduct a man-in-the-middle attack, with Google Services users in Iran being the intended victims.
The fraudulent certificate came to the attention of an Iranian internet user who noticed that it appeared to be untrusted on site posing as Google’s Gmail service. Gmail users were not affected due to an earlier security measure implemented by Google referred to as “built-in certificate pinning”.
Certificate pinning forces all access to Google Service to take place via HTTPS connections. It also presents users with security warnings that can’t be simply clicked-through.
The error message Google Chrome produced as Iranian Gmail users were targeted by a man-in-the-middle attack where an SSL certificate issued by DigiNotar in 2010 was used.
In response, Google, Microsoft, Mozilla Firefox, Apple and Opera moved to blacklist DigiNotar roots in browsers (and operating systems), rendering associated SSL certificates untrusted. Soon after, the embattled CA filed for bankruptcy, leaving many of their customers stunned and feverishly searching for a better solution.
One of the biggest concerns surrounding the DigiNotar incident was their delayed action. It took roughly a month for the CA to report that its network had been compromised. Another concern was that they were unable to confidently prove that all of the mis-issued certificates were revoked.
What SSL certificate transparency is
Certificate transparency (CT) is intended as the solution for detecting and managing mis-issued certificates. As mis-issuance can occur through a CA hack, the issuance of a certificate with incorrect information, or the issuance of a certificate without the authority of the domain owner, the need to have a means for the public to check the validity of SSL certificates via an online log is what experts believe will solve the problem.
How certificate transparency works
Through the use of centralised logs stored by servers, certificate information is verified as servers communicate with each other to spot any certificate information inconsistencies. Logs are updated regularly, so website visitors (or any party) interested in confirming the validity of an SSL certificate can do so against a publically available log.
What certificate transparency means for your business
The process of submitting your SSL certificate to a CT log is solely the responsibility of the CA you acquired the certificate from. While your CA has to perform the logging process, businesses can still take action. Incidents like Let’s Encrypt’s issuance of over 14,000 domain validated certificates with the company name “PayPal” in the common name prove that businesses need to know of all certificates issued out under their company name or domain. This is where CT logs become very valuable.
Tools like Crt.sh have been around for a while and allow the public to query certificate information using either a domain name, organisation name or a certificate public key.
Crt.sh query using a domain name.
Crt.sh query results showing the certificate’s log dates along with certificate details. To view a complete breakdown of our website’s SSL certificate logged by crt.sh, go here.
One of the newest CT log services available was launched by Facebook. Their tool allows you to view certificate logs and information like crt.sh does, however you can also subscribe to notifications for any new certificate logs generated. The notification service is pretty useful as it helps webmasters keep tabs on mis-issuance and general foul play associated with their domains.
Of the major browsers available today, most of the news surrounding CT has been published by Google Chrome and Mozilla Firefox. For both organisations, the move to create a more transparent and secure web means better experiences for their users.
As you’d imagine, undertaking the task of creating a more secure web is no small feat, which is why Google set plans in motion to enforce full-page errors for websites with untrusted SSL certificates within Chrome.
Initially, the plan to start enforcing the full-page errors was to commence in October 2017. This requirement applied to all certificate types and all CAs. Recently, however, concerns surrounding CT policies have seen the date pushed over by a year.
At present, extended validation SSL certificates are the only types of SSL certificates that CAs must submit information on.
CT is currently gaining traction, however, because not every CA has to commit to submitting all of their certificates, we could be a while away from a truly transparent ecosystem. This is largely due to there being very little in the way of regulations for CAs when it comes to certificate mis-issuance cases, as was the case with DigitNotar. Brower organisations like Google Chrome and Mozilla Firefox have chosen to rise to the occasion in an attempt to protect the end-user in a digital world that’s growing at a phenomenal rate.