Google mandates logging of all SSL certificates issued by registered CAs

News by Jay Jay

SSL certificates issued by all registered Certificate Authorities (CAs) from today (1 May) onwards will need to be logged to confirm that such certificates are compliant with the new Chromium Certificate Transparency policy says Google.

Google recently announced that SSL certificates issued by all registered Certificate Authorities (CAs) from today (1 May) onwards will need to be logged to confirm that such certificates are compliant with the new Chromium Certificate Transparency policy.

The internet search giant added that if Chrome discovers that a certain website is secured by a publicly-trusted certificate that is not compliant with the Chromium CT Policy, visitors to the website will be warned that the connections are not CT compliant and web pages will be stopped from loading.

The announcement comes just a couple of weeks after Google launched Chrome 66 for Windows, Mac, Linux, Android, and iOS that is configured not to trust SSL certificates issued by Symantec before June 1, 2016. It is expected that Google will stop supporting other SSL certificates issued by Symantec once Chrome 70 is launched.

An SSL certificate basically encrypts all traffic that passes between a website and an internet browser and ensures that sensitive information submitted by website visitors such as credit card numbers, passwords, or online banking details are protected from external access.

Even though SSL certificates are considered the best available tools to ensure the security of data transmitted via websites, researchers at Recorded Future's Insikt Group discovered in February that a large number of made-to-order security certificates were being offered by Dark Web vendors by using stolen corporate identities such as Comodo, Thawte, and Symantec.

It is believed that enforcement of the new Chromium Certificate Transparency policy will curb the rise of counterfeit and made-to-order certificates. According to Acmetek Global Solutions, a provider of website security solutions, the new policy will allow researchers to monitor and review certificates to determine quality and compliance with SSL/TLS industry obligations.

At the same time, domain owners will also be able to monitor CT logs to see what certificates have been issued for their domains. This will let them identify fraudulent certificates which could be used to monitor or steal traffic passing through their domains. They should, however, note that the new announcement will only impact fresh SSL certificates issued after 30th April and certificates issued before this date will remain unaffected.

"Certificate Transparency (CT) is a mechanism which helps domain owners and industry watchdogs detect misissuance. It is a publically-available log of certificates that have been issued. This log lists all the certificate's information so that it can be inspected by anyone with an interest," wrote encryption expert Vincent Lynch.

"In practice there are multiple logs, which is needed due to the scale of the SSL ecosystem – millions of certificates are issued each year. Each log has to follow defined standards on what and how it stores the certificates."

Broderick Perelli-Harris, senior director of professional services at Venafi told SC Magazine UK that the new requirement of all SSL certificates issued by registered CAs to be logged is a very welcome move from Google as it will also curb the mis-issuance of certificates by CAs which usually end up impacting businesses.

"Businesses are starting to wake up to the problem, 80 percent of businesses say they are worried about future CA incidents affecting their operations. Google highlighting cases of mis-issuance will help companies protect themselves and their customers," he said.

However, he warned that Google's initiative will not protect businesses in the long run as businesses still need crypto-agility over security critical SSL/TLS Machine Identities, including keys and certificates as well as a way to process the intelligence that CT is providing so that they can take action to protect themselves.

"Given the current threatscape it is imperative that companies are able to identify, revoke and replace SSL/TLS certificates instantly. Unfortunately at present, very few have this capability – only 23 percent are completely confident in their ability to quickly find and replace all their impacted certificates.

"Worse, only eight percent have actually automated the process. The transparency log will help raise standards for CAs across the board, but it's impossible to remove errors entirely and companies have to be able to react quickly when problems occur," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews