The public logs list all certificate information so it can be inspected, and coupled with rules which restrict which CAs can issue for which domains, industry commentators believe the move represents a significant step forward in improving internet security.
Any website with a secure sockets layer (SSL) or transport layer security (TLS) certificate that is not logged will trigger a browser warning that tells users the website’s certificate is not compliant with Google Chrome’s transparency policy and might not be safe.
Any elements of a website served over https connections that are not compliant will fail to load and will show an error in Chrome DevTools.
The aim is to improve certificate transparency to better protect both users and companies from becoming victims of certificate misuse.
Cyber criminals have increasingly targeted internet users by finding ways to issue their own certificates. The move is also aimed at improving the processes for identifying and revoking illegitimate certificates.
Google Chrome is reportedly in use by 60% of the market and is using its market dominance to drive better practices, with most other major browsers expected to follow its example.
Broderick Perelli-Harris, senior director for professional services at Venafi, said the move from Google is welcome as another step towards enforcing best practice for the CA industry.
“From Trustico to GlobalSign, there have been plenty of recent cases of CA errors that impact businesses – and businesses are starting to wake up to the problem, 80% of businesses say they are worried about future CA incidents affecting their operations. Google highlighting cases of mis-issuance will help companies protect themselves and their customers,” he said.
However, Perelli-Harris said the flipside is that companies need both a way to process the intelligence that certificate transparency is providing and a way to respond. “They need to be able to take action to protect themselves.
“This is why businesses need crypto-agility over security critical SSL/TLS machine identities, including keys and certificates. Given the current threatscape, it is imperative that companies are able to identify, revoke and replace SSL/TLS certificates instantly.
“Unfortunately, at present, very few have this capability. According to Venafi research, only 23% are completely confident in their ability to quickly find and replace all their impacted certificates, and only 8% have actually automated the process,” he said.
“The transparency log will help raise standards for CAs across the board, but it’s impossible to remove errors entirely, and companies have to be able to react quickly when problems occur.”