Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security.
What Is Certificate Transparency (CT)?
As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details.
In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information. The information is publicly audible. Once the CT logging is enabled, that information will be public and can not be deleted from the log. The following information appears in the CT log:
- Common Name
- Subject alternative names
- Organization name
- CA (issuer) name
- Serial number
- Validity period
- Extensions
- Certificate chain
*Note: that much of this information is already publicly available for external sites.
The Security Triad:
If you haven’t noticed over the years all client web browsers have been implementing various security notifications regarding the safety of websites. Browser have become an Auditor of website security and show notifications to clients when web-surfing.
These notifications will typically show green bars or padlocks if everything is secure and safe. Yellow exclamation marks to make client awareness that the website is not as secure as it can be. Lastly red strikes if the browser deems something that is considered unsafe for users. The notifications will vary from browser to browser, but in the end these are all just disclaimers to inform web visitors on the safety of the website. Anything can contribute to these browser notifications including outdated server software configurations, Mixed or Insecure Content, or the certificate running on the website.
Now with Certificate Transparency there is a Web Security Triad. Security is not just limited to the Certificate Authority (Monitor) and Client browser (Auditor) like it used to be. Here’s what’s going on now.
- CT is a middle logging system that holds a time-stamp of logs of the certificates that have been issued by the various CA’s.
- The CA informs the Log Server of all certificates that get issued.
- The CA Monitor and Browser Auditor work in conjunction with the CT Log Server to Monitor, and Audit logs for suspicious certs, and verify that all the certs issued are visible for the public community.
- The Client browser Auditor verifies that the logs are behaving properly and informs clients of anything suspicious that has happened in regards to certificate security.
CT is something that happens behind the scenes and is pretty much unnoticeable to browser clients navigating the web, but with its implementation there is a faster response and a extra tier to client safety with navigating the web.
For more information on Certificate Transparency feel free to visit http://www.certificate-transparency.org
Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!