GlobalSign has announced the updating of Domain Validated (DV and Alpha) SSL products to comply with the Google Certificate Transparency Policy, starting on August 30, 2016. GlobalSign will be posting all newly issued DV/ Alpha SSL Certificates to qualified CT Logs including the required number of Signed Certificate Timestamps (SCTs) in the issued certificates. Domain SSL/ Alpha SSL ordering pages will include the CT notice (as currently displayed on EV SSL ordering pages):
Overview of Certificate Transparency
What is Certificate Transparency?
Certificate Transparency is an open framework for monitoring and auditing SSL Certificate issuance, that helps protect any domain owner against several types of certificate-based threats, including misissued certificates, maliciously acquired certificates, and rogue CAs. Transparency is achieved by having CAs post certificates to publicly accessible Qualified CT Logs. Customers can create log monitors, which look for certificates issued to their domains and detect misissuance in minutes.
CT logs are append-only logs and while anyone can post certificates to the logs, it will be primarily used by CAs to post “Pre-Certificates”. When Pre-Certificates are posted to the logs, the log operator returns a Signed Certificate Timestamp which proves the certificate was logged. This SCT can be used by browsers to validate that the certificate was logged. SCTs can be distributed to the browser in a variety of mechanisms.
How does it work?
Certificate Transparency adds three new functional components to the current SSL certificate system:
- Certificate logs
- Certificate monitors
- Certificate auditors
Why is Certificate Transparency needed?
While it is feasible for browsers to detect forged or fake SSL certificates, it is difficult for browsers to detect mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue. The Certificate Transparency Project aims to solve this issue by implementing an open framework of: Certificate logs, Certificate monitors and Certificate auditors.
The CT project describes the 3 main goals:
- To make it impossible (or at least very difficult) for a CA to issue an SSL Certificate for a domain without the certificate being visible to the owner of that domain
- To provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued
- To protect users from being duped by certificates that were mistakenly or maliciously issued
What are the features of the Certificate Transparency?
The following features listed below are the benefits that Certificate Transparency provides:
- Early detection of misissued certificates, malicious certificates, and rogue CAs. In most cases, the Certificate Transparency system can detect suspect certificates or CAs in a few hours instead of a few days, a few weeks, or a few months.
- Faster mitigation after suspect certificates or CAs are detected. Although Certificate Transparency relies on existing mitigation mechanisms to address harmful certificates and CAs--for example, certificate revocation--the shortened detection time will speed up the overall mitigation process when harmful certificates or CAs are discovered.
- Better oversight of the entire TLS/SSL system. Certificate Transparency is founded on an open framework that supports public observation and verification of newly issued and existing TLS/SSL certificates, which gives any interested party the opportunity to observe and verify the health and integrity of the TLS/SSL system--domain owners, CAs, and users alike.
- Tighter Internet Security. Certificate Transparency strengthens the chains of trust that extend from CAs all the way down to individual servers, making HTTPS connections more reliable and less vulnerable to interception or impersonation. But what’s more, as a general security measure, Certificate Transparency helps guard against broader Internet security attacks, making browsing safer for all users.
What happens to the certificates I already have?
Certificates issued prior to 30 August 2016 are unaffected and won't be updated or posted. However, customers may reissue their certificates if they want them to comply with the Google CT Policy.
GlobalSign and Certificate Transparency
With this change, all GlobalSign Domain Validated Certificates will comply with Google's announcement from May 2016 regarding the increased scope of the Google CT policy. The new policy has been expanded to cover all types of SSL Certificates (rather than just Extended Validation SSL). For EV Certificates, Chrome enforces CT by not displaying the green bar. Chrome has not yet provided any treatment changes for non-EV Certificates; however, we recommend compliance early to avoid receiving degraded browser treatment prior to certificate expiration and renewal.
GlobalSign supports Certificate Transparency and the Google CT policy to promote transparency and openness. We have been including SCTs in our EV SSL Certificates for over a year and are planning on including Organization Validated (OV) Certificates in the near future.
For further inquiries, please feel free to submit a support ticket.
Resources1. Google Certificate Transparency Project
2. Google Certificate Transparency Policy
3. Google Formalizes Certificate Transparency Policy for Non EV Certificates