Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Will the Google Certificate Transparency tool prevent certificate abuse?

Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve certificate security.

As part of Google's effort to improve certificate security, the company has introduced a the Google Certificate Transparency log viewer tool and also announced a specific log for untrusted certificate authorities. How do these additions work, and can they benefit enterprise security?

Secure communications over the internet rely heavily on digital certificates to provide authentication and encryption; they allow users to confirm that a server is in fact the server it claims to be and provides encrypted traffic. This prevents an attacker from impersonating a site, or eavesdropping on communications to and from the site. Therefore, it's critical that these certificates are valid and appropriately issued. However, over the past few years, trust and confidence in digital certificates and the certificate authorities (CAs) that issue them have taken a serious knock. The misissuance of certificates by CAs has enabled hackers to abuse fraudulent certificates and launch a wide range of attacks such as a website spoofing, server impersonation and man-in-the-middle attacks.

Google, as well as other organizations such as Venafi TrustNet, have launched various initiatives to safeguard the certificate issuance process and help detect and counter fraudulent and stolen certificates. The Google Certificate Transparency project provides an open framework for monitoring and auditing HTTPS certificates. Certificate Transparency (CT) is an experimental protocol put forward by Google for publicly logging every certificate that's issued by compliant CAs, the long term goal being that browsers will refuse to honor certificates that do not appear in a public CT log.

Google's Certificate Transparency log viewer makes it simple to find and view all of the digital certificates issued for a given hostname recorded in public CT logs. The web-based app enables domain administrators to easily check whether a certificate for any of their domains and subdomains has been incorrectly issued. Users can also check and see who has issued a certificate for a particular website. Google has also introduced a new CT log for root certificates that were once, or are not yet, trusted by browsers. According to Google, keeping such records has been difficult, and this log will make its records more complete.

By making the issuance and existence of SSL certificates open to scrutiny by everyone, it will be a lot harder for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. In 2014, CT logs enabled Google to discover the issuance of Extended Validation precertificates for its domains and by Symantec's Thawte-branded CA, neither of which had been requested nor authorized by Google.

Certificate Transparency does of course require certificate authorities to publicly declare certificates they have generated legitimately in a CT log. Some CAs have already committed to CT, including GlobalSign and DigiCert, and so far there are over 54 million entries in the set of CT logs that Google monitors. Domain admins should certainly run regular checks using the CT log viewer to ensure no certificates for their domains have been mistakenly or maliciously issued. The early detection of misissued or malicious certificates will prevent their misuse by cybercriminals looking to impersonate well-known and popular sites.

Next Steps

Learn about the security risks around certificate authorities

Find out about fake digital certificates issued for Google domains

Read about the three main SSL security issues

This was last published in August 2016

Dig Deeper on VPN security