Last year Google once again flexed its muscles by announcing the requirement for Certificate Transparency for all new SSL/TLS certificates in October 2017. This has since been pushed back until April 2018.
This requirement means that Chrome will no longer trust new SSL/TLS certificates that are not qualified for Certificate Transparency (CT). CT is a method to publish all certificates in one or more publicly available CT logs, which meet the qualification requirements established by Google. CT logs can be audited to ensure they are honest. Domain owners and people all over the world can use the CT logs to monitor their domains and discover SSL/TLS certificates for more detailed information on CT visit our article What is CT?
Certificate Transparency Benefits?
There are two main benefits of CT:
- Domain Security: Owners of domains can monitor CT logs to see what certificates have been issued for their domains. This supports domain owner detection of fraudulent certificates, which may be used to attack their organization or users.
- Certificate Evaluation: Researchers can monitor or specifically review certificates to determine quality and compliance to SSL/TLS industry obligations.
What does CT logging do for me?
Not much really, other than preventing warnings in chrome. I guess it can be said that CT Logging improves security for your sites (domains) and organization by:
- Giving you a way to see a list of certificates issued for your sites.
If you monitor these logs, you can see all the certificates issued for your sites, and the issuing CA for each certificate. You can use this information to determine if a certificate is legit (authorized by you). If you were to find a rogue certificate, you can work with the issuing CA to get that certificate revoked.
Sounds great, but are there any drawbacks?
For the majority of site owners, none. If you have a public website, domain and organization information are already publicly available by looking at the details of the certificate on your site. But…
- A disadvantage of logging all SSL/TLS certificates is some domain names exposed may be considered private or security sensitive. Although many SSL/TLS certificates are available to the public, some are internal. Exposing all domain names would give an attacker a blue print of all secure servers.
- Some server host names of can expose their purpose or confidential information (e.g., hippa. example.com, payments.example.com, etc..).
- If domain owners do not CT log, it will cause trust issues with Chrome.
How to Keep Domain Names Private
When considering CT logging of public-trust certificates, there are several ways domain names can be kept private:
- Do not add private domains to the CT log: If the certificate is not CT logged, then the private domain name will not be exposed.
- Issue a Wildcard Certificate: Wildcard certificates may or may not expose private domains. For instance, the name “topsecret” could be protected by issuing a wildcard certificate *.example.com instead of topsecret.example.com; however, *.topsecret.example.com would expose “topsecret.”
- Majority of Certificate Authorities will have an option to turn off CT logging when enrolling, renewing, or reissuing an SSL certificate.
If you end up in a situation where you do need to keep a certificate out of these logs, make sure you understand that browsers, such as Google Chrome, with CT log policies will show untrusted warnings when individuals visit this site. The best resolution if you fall into this situation is to not use Chrome as a browser.