Making sure that Secure Sockets Layer (SSL) certificates are authentic and have not been improperly issued is a challenge the Google-led Certificate Transparency effort is aiming to help solve. Multiple vendors now supporting the Certificate Transparency effort include certificate management vendor Venafi and certificate authority (CA) DigiCert.
The Certificate Transparency initiative requires CAs to publish certificate information to a minimum of three log servers. CAs are the trusted authorities that can sell and manage SSL certificates. An issue that has come up in the past is that unauthorized SSL certificates were issued by CAs for domains, which is what happened with failed CA DigiNotar back in 2011.
Publishing to three log servers ensures that there are three records for an SSL certificate to help prevent unauthorized certificate issuance, said Gavin Hill, director of product marketing and threat intelligence at Venafi, one of the vendors deploying a Certificate Transparency log server as well as a monitoring server.
“With a monitoring server, you’re able to validate and also query other log servers to ensure that the copies of the certificates are indeed legitimate,” Hill told eWEEK.
The Certificate Transparency effort is designed to solve a different problem—if one of the SSL certificates is expired. Modern browsers include what is known as OCSP, or Online Certificate Status Protocol, which checks to make sure that SSL certificates are valid.
“The whole point of Certificate Transparency is to mitigate against the risk of a certificate mis-issuance, whenever they [CAs] are issuing an SSL certificate,” Hill said. “OCSP looks to see if the certificate is valid, but it doesn’t look to see if the certificate was fraudulently issued.”
DigiCert is also supportive of the effort and operates Certificate Transparency log servers.
“Certificate Transparency shines a light on CA practices and permits Website operators to quickly detect and remediate unauthorized certificates,” Jason Sabin, vice president of research and development at DigiCert, told eWEEK. “Unfortunately, this use is currently limited to EV [extended validation] certificates.”
EV certificates require CAs and their customers to perform additional verification and auditing before a certificate is issued to validate the identity of the person and the Website for which the EV certificate is being issued. In contrast, the more common domain validated (DV) certificates only require that the user that requests an SSL certificate is able to demonstrate that they control a given domain.
“Because DV Certificates, by virtue of the certificate’s lack of an out-of-band confirmation, are the most often exploited certificate type, excluding DV limits Certificate Transparency’s current usefulness,” Sabin said. “Once this scope is expanded to all certificate types, Certificate Transparency will become one of the most effective ways for a company to modify certificates issued for its domains.”
The other current limitation of Certificate Transparency is in the form of browser support. Hill noted that Certificate Transparency is currently only fully supported in Google’s own Chrome Web browser although other browser vendors are considering supporting the effort. One of the other browser vendors that might one day support Certificate Transparency is Mozilla with its Firefox Web browser.
“With regard to the Google Certificate Transparency project, in particular, we are following it closely and working with Google to see what might make sense for Firefox,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.
Even though only Chrome fully supports Certificate Transparency today, Sabin said, all Web users will benefit from the fact that every certificate is logged and it’s the logging that is really important.
“By ensuring all known certs are logged, Chrome has given Website operators the ability to view their entire global certificate landscape and instantly determine whether one was misused,” Sabin said. “They will know exactly what CAs are issuing for their domains and when their internal policies are being violated.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.