Mandatory certificate transparency for Chrome trust starts Oct 2017

Starting next year Google Chrome will only trust website certificates issued in October 2017 or later that comply with Google Chrome's certificate transparency policy.

The Google Chrome team announced the move at the 39th meeting of the CA/Browser Forum. The details of the decision were made public in an email message sent to the Certificate Transparency Policy mailing list by Ryan Sleevi, software engineer at Google.

Google's Certificate Transparency (CT) program offers an open framework through which to monitor and audit HTTPS certificates used by websites so that fraudulent or otherwise improperly issued certificates can be rooted out more efficiently.

"This is a significant step forward in the online trust ecosystem. The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy Internet," Sleevi wrote in the email. "The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to mis-issuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs."

When certificates are issued improperly, whether through malice or error, they can be used to give users the appearance of security while actually being used for attacks. An improperly issued certificate could be used to create fake versions of authentic websites, which can then be used to capture unwary visitors' login credentials or other private information.

Certificate Transparency provides a mechanism for certificate authorities to register all certificates issued in a public log so details of all issued certificates can be reviewed by domain owners. It offers auditing and monitoring services that allow domain owners to determine whether a certificate has been maliciously or mistakenly issued.

Google's Certificate Transparency was initially defined as an experimental internet protocol in RFC 6962, "Certificate Transparency," published in 2013 by Google employees Ben Laurie, Adam Langley and Emilia Kasper.