Certificate Transparency is a framework created by Google that helps verify whether an SSL certificate is real and valid, or fake, forged, or otherwise maliciously acquired. In this blog post, we’ll give a brief overview of why the system was created, how it works, and what it means for you.
Read on to find out more.
Why Certificate Transparency?
Certificate Transparency addresses flaws in the structure of the SSL certificate system that can’t be addressed by current cryptographic mechanisms. If, for example, a Certificate Authority (CA) that issues certificates has been compromised in some way, browsers are unable to detect this in real-time if a CA is considered trusted. If an SSL has been misissued by a CA, sometimes this isn’t detected for several weeks or months. When it is detected, the SSL will likely be revoked, and the browser will then know a site with that SSL is not to be trusted, and will warn users accordingly. However, until that happens, the site with the misused SSL certificate may have tricked many unsuspecting users with an inauthentic site; for example, a phishing site spoofing a legitimate site.
Certificate Transparency helps prevent such malicious SSL certificate-based scenarios from happening, as it can detect these kinds of SSLs in a few hours rather than a few weeks.
How Certificate Transparency works
Certificate Transparency is made up of three main components:
- Certificate logs
Let’s discuss each component in more detail.
Certificate logs are simple network services where CAs publish the certificates they issue. These log servers are cryptographically assured and publicly auditable. Anyone can add certificates to the log, but it is CAs that do so for the most part. Records of certificates are also append-only, which means that it keeps a record of any data changes that occur. When a log server gets a new certificate, it gives it a Signed Certificate Stamp, which is usually attached to the certificate as proof of when it was issued. Certificates are stored in a log permanently and cannot be removed, even expired certificates.
Monitors are servers run by CAs or third parties that oversee log servers for suspicious activities, such as the issuing of an unauthorized certificate or SSLs with unusual permissions or extensions.
Auditors are software components that periodically check the certificate logs to ensure that they are performing correctly. If a log isn’t performing correctly, then they may be shut down.
These three components work in tandem to ensure that the open framework of Certificate Transparency runs correctly and efficiently.
Does Certificate Transparency affect you?
Only in a good way! Certificate Transparency has been around for a while now, with Google enforcing it for all certificates in its Chrome Browser since 2018. You probably haven’t noticed because it’s strictly a behind-the-scenes affair. It doesn’t affect the process of purchasing, activating, or using an SSL certificate, or browsing the Internet. However, it has had a significant impact on the SSLs industry as a whole. So far, thousands of misissued SSL certificates have been discovered and revoked, and some CAs that misissued certificates have even been shut down. You can see Certificate Transparency in action by checking this site from Sectigo. Simply enter a domain and you can see all SSLs that were issued for it since Certificate Transparency began.
The existence of Certificate Transparency protects everyone involved with SSL certificate use, from CAs and domain owners, to website users. This is because it makes it extremely difficult for CAs to issue an SSL for a website without the owner knowing, while the open system of monitoring and auditing allows website owners and CAs alike to check for wrongly issued certificates. On the user side, website visitors are protected from being duped by malicious websites with fake SSL certificates.
In this article, you learned the basic facts around Certificate Transparency and how it works. You can find more in-depth information about the project here. If you’ve been thinking of securing your site with an SSL certificate, check out the SSLs we have to offer.