Starting today, the Google Chrome browser will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log.
By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details.
The CT logging policy dictates that Certificate Authorities (CAs) —the organizations that issue SSL certificates for supporting HTTPS connections— must publish logs with all the SSL certificates they have issued each day.
These logs must be public, so browser makers, fellow CAs, or independent researchers can freely investigate instances of misissued certificates at any time.
CAs have always kept logs of the certificates they issued, but these were private and only made available to browser makers when they were investigating instances of certificate misissuance.
With a market share of over 60 percent, most CAs saw the writing on the wall and began publishing public CT logs starting last year when it became evident that Google was set to implement this new policy in Chrome.
"Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy," Google engineer Devon O'Brien wrote in a Google Groups discussion earlier this year when he announced the new deadline.
"After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant," O'Brien added. "Sub-resources served over HTTPS connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools."
These changes have rolled out to Chrome desktop platforms first, which include Chrome for ChromeOS, Linux, macOS, and Windows.
Google engineers have also added a Chrome policy flag that allows sysadmins to disable the CT log-checking behavior in instances Chrome is deployed inside an intranet.
The new CT policy is not retroactive. This means that older certs issued before today that have not been recorded in a CT log will continue to work.
But if a CA has issued a new SSL cert starting today and has not recorded it in a public CT log, Chrome will show an error.
The good news is that many CAs have started logging certificates in public logs and sharing data with each other. Merkle Town (operated by CloudFlare) and Crt.sh (operated by Comodo) are two websites that aggregate CT logs.
Such tools have been instrumental earlier this year when a user noticed that the South Korean government-controlled CA had misissued an SSL certificate for the entire *.go.kr top-level domain, allowing its operator to intercept traffic for all websites using that TLD. That discovery was made by an independent security researcher, and with public CT logs now becoming a de-facto standard, expect more cases like this to surface in the future.