maxkabakov - Fotolia

News

Mandatory certificate transparency for Chrome trust starts Oct 2017

Certificate transparency compliance will be mandatory for publicly trusted website certificates in order to be considered secure by Google's Chrome browser.

Peter Loshin, Technology Editor

Published: 31 Oct 2016

Starting next year Google Chrome will only trust website certificates issued in October 2017 or later that comply with Google Chrome's certificate transparency policy.

The Google Chrome team announced the move at the 39th meeting of the CA/Browser Forum. The details of the decision were made public in an email message sent to the Certificate Transparency Policy mailing list by Ryan Sleevi, software engineer at Google.

Google's Certificate Transparency (CT) program offers an open framework through which to monitor and audit HTTPS certificates used by websites so that fraudulent or otherwise improperly issued certificates can be rooted out more efficiently.

"This is a significant step forward in the online trust ecosystem. The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy Internet," Sleevi wrote in the email. "The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to mis-issuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs."

When certificates are issued improperly, whether through malice or error, they can be used to give users the appearance of security while actually being used for attacks. An improperly issued certificate could be used to create fake versions of authentic websites, which can then be used to capture unwary visitors' login credentials or other private information.

Certificate Transparency provides a mechanism for certificate authorities to register all certificates issued in a public log so details of all issued certificates can be reviewed by domain owners. It offers auditing and monitoring services that allow domain owners to determine whether a certificate has been maliciously or mistakenly issued.

Google's Certificate Transparency was initially defined as an experimental internet protocol in RFC 6962, "Certificate Transparency," published in 2013 by Google employees Ben Laurie, Adam Langley and Emilia Kasper.

Next Steps

Find out more about how certificate transparency spotted fake certificates from Symantec last year.

Learn about what happened when GlobalSign stumbled over its certificate revocation process.

Read about the benefits of automating backup processes related to certificate authorities.

Dig Deeper on Web browser security

Mozilla delays distrust of Symantec TLS certificates, Google doesn't Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year's notice, approximately 13,000 websites still use the insecure certificates.

Google Chrome helps clean up certificate authority industry The security industry has welcomed the introduction of measures by the Google Chrome browser aimed at achieving certificate transparency

Public key pinning: Why is Google switching to a new approach? After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci explains the switch.

The Symantec-Google feud can't be swept under the rug The Symantec-Google feud regarding the antivirus vendor's web certificate practices appears to be over. But that doesn't mean it should be minimized or ignored.

How the use of invalid certificates undermines cybersecurity Symantec and other trusted CAs were found using bad certificates, which can create huge risk for internet users. Expert Michael Cobb explains how these incidents can be prevented.

Timeline: Symantec certificate authority improprieties Timeline: Follow along as Google and Mozilla raise issues with Symantec certificate authority actions, and then attempt to return trust to the CA giant.

Peter Loshin asks:

What do you see as the most important benefits from Google's certificate transparency policy?

Join the Discussion

SearchCloudSecurity

Mandatory certificate transparency for Chrome trust starts Oct 2017

Certificate transparency compliance will be mandatory for publicly trusted website certificates in order to be considered secure by Google's Chrome browser.

Next Steps

Dig Deeper on Web browser security

Join the conversation

1 comment

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

Benefits of using Azure Security Center for security assessments

Use Azure Security Center to conduct a security posture assessment

How container adoption affects container security

SearchNetworking

Why Secure Access Service Edge is the future of SD-WAN

5 common SD-WAN challenges and how to prepare for them

The top 10 network security best practices to implement today

SearchCIO

Don't let edge computing security concerns derail your plans

Risk-based digital identity benefits CIOs, CMOs and customers

Agile practices endure and continue to adapt

SearchEnterpriseDesktop

When not to convert basic disks to dynamic disks

Project Limitless' 5G PC and what desktop admins need to know

Jamf Protect offers visibility, protection for macOS admins

SearchCloudComputing

Top 5 benefits of hybrid cloud

AI-driven development trends shake up the cloud market

A primer on Alibaba Cloud for Western enterprises

ComputerWeekly.com

Public sector risks downplayed by senior IT leaders

Macy’s Magecart breach presages Christmas fraud spike

IoT growth set to come from managed data analytics

Next Steps

Related Resources

Dig Deeper on Web browser security

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.