30 April 2018
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
Starting April 30, the Chrome browser will require all new certificates to be compliant with Certificate Transparency. This is a major change in the certificate ecosystem and was prepared over several years. Certificate Transparency has already played a major role in many cases of uncovering mistakes by certificate authorities.
The core idea of Certificate Transparency is relatively simple: All publicly issued certificates are stored in public append-only logs. These allow everyone to check whether illegitimate certificates for their domains have been issued. To show that a certificate has been logged, two so-called signed certificate timestamps (SCTs) have to be provided during the TLS handshake. An SCT is a signed statement from a log confirming that a certificate has been submitted.
There are different ways to deliver an SCT, but the most common one is to add it directly to the certificate itself. Most certificate authorities do this automatically, so there is nothing a site operator has to do manually. Because a CA can’t log a certificate before it’s been issued, these certificate-embedded SCTs require issuing a precertificate, which contains a special extension and is identical to the final certificate, except that it lacks the SCTs.
This raises the question of whether both the precertificate and the final certificate should be logged or just the precertificate. Let’s Encrypt initially decided to log only the precertificate when it introduced SCTs, but it’s now working on logging the final certificate as well.
Although Certificate Transparency logging is now a requirement for new certificates, a rogue or compromised CA still may be able to create unlogged certificates by backdating them. This can be prevented by using the Expect-CT header.
The Hardenize service has added a check for Certificate Transparency compliance.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.