Firefox and Chrome will be implementing something called "Certificate Transparency" to resolve issues surrounding certificates and certificate authorities. What exactly is Certificate Transparency? What issues is it designed to remedy, and how?
Secure communications over the Internet rely on the SSL/TLS protocol which uses digital certificates to provide authentication and encryption. It's therefore essential that the infrastructure behind the issuance of digital certificates is trustworthy. However, confidence in the certificate authorities (CAs) hierarchy of trust is being undermined. Certificates mistakenly issued by CAs have enabled hackers to abuse fraudulent certificates and launch a wide range of attacks such as a website spoofing, server impersonation and man-in-the-middle attacks.
Certificate Transparency (CT) is a proposal from Google that could help detect and respond to problems with fraudulent and stolen certificates and CAs whose issuing policies have been abused. It is an experimental protocol for publicly logging every certificate issued by compliant CAs, with browsers refusing to honor certificates that do not appear in a public CT log. The logs are append-only and cryptographically assured, the idea being that anyone can audit a CA's activity and identify the issuance of suspect certificates. If enough browsers implement CT and require a certificate to be logged, CAs and Web administrators would have a big incentive to ensure certificates are correctly logged.
Google is planning to implement CT in Chrome and begin requiring CT for all EV certificates in the near future; a check for CT information will be included in the TLS handshake. It is already running a certificate log server and there is information available in Chrome on the certificate transparency status of a given site using SSL. Mozilla is also going to support CT in Firefox, but initially it won't be turned on by default.
On paper, this is a promising approach to combating the risk of incorrect issuance, but quite an ecosystem needs to evolve before it becomes a fully viable and enforceable security control. The standards for CT are still being developed by the Internet Engineering Task Force and may change before they are finalized. Although some CAs -- including GlobalSign and DigiCert -- already have committed to CT, it will take some time before all the benefits of CT are realized even if it is gains widespread adoption.
Trust in the Web is essential, and as so much of it depends on credible digital certificates, developing and implementing methods like CT and certificate pinning, to ensure Web server certificates can be trusted, are imperative. The current CT experimental implementations will allow browser vendors to see how well it works at reducing various types of certificate-based threats, including "misissued" certificates, maliciously acquired certificates and rogue CAs.
It's early days and too soon to say whether Certificate Transparency will prove workable. It will certainly require the majority of CAs to cooperate and publish their certificates in public logs, but if they do, CT could have a significant effect on finding and revoking malicious or mistakenly issued certificates.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Uncover how to stop forged certificates from trusted vendors
Will Google's Certificate Transparency prevent certificate abuse?
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading