GlobalSign now complies with the Google Certificate Transparency Policy. As such, ordering pages now include the CT notice as shown below:
|January 1, 2015||GlobalSign publishes all EV SSL Certificates to qualified CT logs by default|
|August 30, 2016||GlobalSign publishes all Domain Validated (DV and Alpha) SSL to qualified CT logs by default|
|November 6, 2017||GlobalSign publishes all newly issued OV SSL Certificates to qualified CT logs by default|
Overview of Certificate Transparency
What is Certificate Transparency?
Certificate Transparency is an open framework for monitoring and auditing SSL Certificate issuance, that helps protect any domain owner against several types of certificate-based threats, including misissued certificates, maliciously acquired certificates, and rogue CAs. Transparency is achieved by having CAs post certificates to publicly accessible Qualified CT Logs. Customers can create log monitors, which look for certificates issued to their domains and detect misissuance in minutes.
CT logs are append-only logs and while anyone can post certificates to the logs, it will be primarily used by CAs to post “Pre-Certificates”. When Pre-Certificates are posted to the logs, the log operator returns a Signed Certificate Timestamp which proves the certificate was logged. This SCT can be used by browsers to validate that the certificate was logged. SCTs can be distributed to the browser in a variety of mechanisms.
For more information on Certificate Transparency and how it works, please refer to our blog post here.
Why is Certificate Transparency needed?
While it is feasible for browsers to detect forged or fake SSL certificates, it is difficult for browsers to detect mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue. The Certificate Transparency Project aims to solve this issue by implementing an open framework of: Certificate logs, Certificate monitors and Certificate auditors.
The CT project describes the 3 main goals:
- To make it impossible (or at least very difficult) for a CA to issue an SSL Certificate for a domain without the certificate being visible to the owner of that domain
- To provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued
- To protect users from being duped by certificates that were mistakenly or maliciously issued
What are the features of the Certificate Transparency?
The following features listed below are the benefits that Certificate Transparency provides:
- Early detection of misissued certificates, malicious certificates, and rogue CAs. In most cases, the Certificate Transparency system can detect suspect certificates or CAs in a few hours instead of a few days, a few weeks, or a few months.
- Faster mitigation after suspect certificates or CAs are detected. Although Certificate Transparency relies on existing mitigation mechanisms to address harmful certificates and CAs--for example, certificate revocation--the shortened detection time will speed up the overall mitigation process when harmful certificates or CAs are discovered.
- Better oversight of the entire TLS/SSL system. Certificate Transparency is founded on an open framework that supports public observation and verification of newly issued and existing TLS/SSL certificates, which gives any interested party the opportunity to observe and verify the health and integrity of the TLS/SSL system--domain owners, CAs, and users alike.
- Tighter Internet Security. Certificate Transparency strengthens the chains of trust that extend from CAs all the way down to individual servers, making HTTPS connections more reliable and less vulnerable to interception or impersonation. But what’s more, as a general security measure, Certificate Transparency helps guard against broader Internet security attacks, making browsing safer for all users.
What happens to the certificates I already have?
OV SSL issued prior to 06 November 2017 and DV SSL issued prior to 30 August 2016 are unaffected and won't be updated or posted. However, customers may reissue their certificates if they want them to comply with the Google CT Policy.
GlobalSign and Certificate Transparency
GlobalSign supports Certificate Transparency and the Google CT policy to promote transparency and openness. For further inquiries, please feel free to submit a support ticket.
Resources1. Google Certificate Transparency Project
2. Google Certificate Transparency Policy
3. Google Formalizes Certificate Transparency Policy for Non EV Certificates