Chrome Browser Now Enforces Certificate Transparency
4.5.18 securityweek Safety
Effective May 1, Google’s Chrome browser will display a warning when encountering certificates that are not compliant with the Chromium Certificate Transparency (CT) Policy.
The Google-backed CT attempts to tackle the issue of fraudulently issued certificates by requiring Certificate Authorities (CAs) to log all newly issued certificates. Once the certificate has been reported to the log server, the CA receives a signed certificate timestamp (SCT), which is proof of the submission.
In early 2016, Google announced the addition of a new CT log for CAs removed from trusted root certificate programs and for the ones in the process of being included. In November 2016, the company announced plans to make the CT policy in Chrome mandatory.
Initially planned for October 2017, the enforcement became reality this week: all publicly-trusted certificates (DV, OV, and EV) issued after April 30 need to be CT-compliant. Certificates that fail to comply with the policy won’t be considered trusted (this doesn’t apply to certificates issued from locally-trusted or enterprise CAs that are added by users or administrators).
“Chrome will start enforcing that all TLS certificates issued after April 18 comply with the Chromium CT Policy in order to be trusted,” Google engineer Devon O'Brien notes in a post on Google Groups.
When encountering a TLS server certificate issued after April 30, 18 that is not compliant, Chrome will display a full page interstitial indicating the connection is not CT-compliant. Sub-resources served over not CT-compliant HTTPS connections will fail to load and will show an error in Chrome DevTools.
The changes will first roll out to the desktop browser iterations, meaning that macOS, Windows, Linux, and ChromeOS users will be the first to notice the warning.
“CAs are strongly encouraged to work with their customers to ensure their TLS certificates are ready to comply with the Chromium CT Policy via any of the three means specified in RFC 6962 Section 3.3,” O'Brien continued.
Enterprises can, however, disable CT enforcement on managed devices and for managed users that have signed-in to Chrome on their personal devices. Chrome will also add a policy to allow them to disable CT enforcement for CAs that only issue certificates to that organization.
“CAs issuing TLS certificates with embedded SCTs should ensure they are compliant with the requirements of Qualifying Certificates in the Chromium CT Policy in order to maintain functionality in Chrome. Enforcement of CT compliance will only apply to certificates issued after April 18; certificates issued before this date are unaffected,” O'Brien explains.
Many CAs are already logging certificates in public CT logs and are sharing data with each other, meaning that the new policy enforcement should have only a small impact on users.