Rolling Out Certificate Transparency to SSL Certificates

Introduction

GlobalSign complies with the Google Certificate Transparency Policy. When you place an order for an SSL/TLS Certificate, the ordering page includes the CT notice shown below: 

certificate_transparency.png

Overview of Certificate Transparency

What is Certificate Transparency?

Certificate Transparency is an open framework for monitoring and auditing SSL Certificate issuance, that helps protect any domain owner against several types of Certificate-based threats, including misissued Certificates, maliciously acquired Certificates, and rogue CAs. Transparency is achieved by having CAs post Certificates to publicly accessible Qualified CT Logs. Customers can create log monitors, which look for Certificates issued to their domains and detect misissuance in minutes.


CT logs are append-only logs and while anyone can post Certificates to the logs, it will be primarily used by CAs to post “Pre-Certificates”. When Pre-Certificates are posted to the logs, the log operator returns a Signed Certificate Timestamp which proves the Certificate was logged. This SCT can be used by browsers to validate that the Certificate was logged. SCTs can be distributed to the browser in a variety of mechanisms. 
For more information on Certificate Transparency and how it works, please refer to our blog post here


Why is Certificate Transparency needed?

While it is feasible for browsers to detect forged or fake SSL Certificates, it is difficult for browsers to detect mistakenly issued Certificates or Certificates that have been issued by a CA that’s been compromised or gone rogue. Google's Certificate Transparency Project aims to solve this issue by implementing an open framework of: Certificate logs, Certificate monitors and Certificate auditors.
The CT project describes the 3 main goals:
  • To make it impossible (or at least very difficult) for a CA to issue an SSL Certificate for a domain without the Certificate being visible to the owner of that domain
  • To provide an open auditing and monitoring system that lets any domain owner or CA determine whether Certificates have been mistakenly or maliciously issued
  • To protect users from being duped by Certificates that were mistakenly or maliciously issued  


What are the features of the Certificate Transparency?

The following features are the benefits that Certificate Transparency provides:
  • Early detection of misissued Certificates, malicious Certificates, and rogue CAs. In most cases, the Certificate Transparency system can detect suspect Certificates or CAs in a few hours instead of a few days, a few weeks, or a few months. 
  • Faster mitigation after suspect Certificates or CAs are detected. Although Certificate Transparency relies on existing mitigation mechanisms to address harmful Certificates and CAs--for example, Certificate revocation--the shortened detection time will speed up the overall mitigation process when harmful Certificates or CAs are discovered.
  • Better oversight of the entire TLS/SSL system. Certificate Transparency is founded on an open framework that supports public observation and verification of newly issued and existing TLS/SSL Certificates, which gives any interested party the opportunity to observe and verify the health and integrity of the TLS/SSL system--domain owners, CAs, and users alike.
  • Tighter Internet Security. Certificate Transparency strengthens the chains of trust that extend from CAs all the way down to individual servers, making HTTPS connections more reliable and less vulnerable to interception or impersonation. But what’s more, as a general security measure, Certificate Transparency helps guard against broader Internet security attacks, making browsing safer for all users.   


What happens to the Certificates I already have?

OV SSL issued prior to 06 November 2017 and DV SSL issued prior to 30 August 2016 are unaffected and won't be updated or posted. However, customers may reissue their Certificates if they want them to comply with the Google CT Policy. 

GlobalSign and Certificate Transparency

GlobalSign supports Certificate Transparency and the Google CT policy to promote transparency and openness in the ePKI ecosystem. For further inquiries, please feel free to submit a support ticket. 

Resources

1. Google Certificate Transparency Project 
2. 
Google Certificate Transparency Policy
3. Google Formalizes Certificate Transparency Policy for Non EV Certificates

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.