Enhancing trust on SSL server certificates with Certificate Transparency (CT).
In recent years, there have been a rise in the number of security incidents whereby hackers manipulate and mislead Certificate Authorities (CAs) to issue unauthorized certificates. The latest incident happened on 20 March 2015 on unauthorized digital certificates for several Google domains.
Fake certificates or unauthorized certificates pose danger as they can open up the doors for hackers to create spoofing websites. Unfortunately, SSL clients such as PC browser cannot detect these unauthorized certificates thus, the risk of a phishing attack.
CT is a decentralized system of publicly logging, monitoring and auditing certificates that have been issued by any publicly trusted Certificate Authority (CA) and detecting unauthorized certificates at an early stage. CT was collectively invented and piloted by Google and DigiCert – a leading global authentication and encryption provider. DigiCert was the first CA to implement CT and the first to add SSL Certificates to a public CT log.
CT enables users and domain owner to detect certificates that are mistakenly and maliciously issued. It also identifies the CA that issued the certificates. CT was standardized as “RFC 6962” in 2013.
1.Merits of Certificate Transparency
(1) Early Detection and Faster Migration
CT does not take long to detect unauthorized certificates and completes detection in a few hours. CT enables domain owners to identify any certificates issued without prior approval and/or outside their domain policy. They will then be able to quickly communicate with the CA that issued the certificate to cancel the certificate immediately and call for migration.
(2) Better Insight
CT allows anyone to observe and verify the integrity of the TLS/SSL system. This gives users open access to compare the difference in issuance practices between CAs.
(3) Stronger Security
CT strengthens the chain of trust by providing transparency into the certificate issuance process and informs users about the issued certificates.
2.How Certificate Transparency Works
CT identifies whether the issued certificate has been authorized or not through the following process.
(1) In the process of CT, CA issues a pre-certificate before the authorized certificate is issued and the pre-certificate is registered in a log server.
(2) The log server that registers the pre-certificate sends a Signed Certificate Timestamp (SCT) back to the CA.
(3) SCT indicates the location where the certificate is registered in the log server. This enables CA to issue the certificate with evidence that the certificate has been authorized.
More information on the mechanism of CT:-
How Certificate Transparency Works:
How to Enable Certificate Transparency (CT):
3.DigiCert’s strong efforts to Certificate Transparency
DigiCert is committed to Certificate Transparency.
As quoted from DigiCert,
“DigiCert supports CT and considers it to be a significant improvement in the industry. DigiCert hopes that it becomes adopted for all certificates. DigiCert maintains a robust security infrastructure and follows the highest industry standards in verifying identities and issuing high-assurance SSL/TLS Certificates. Although DigiCert’s high assurance services are designed to prevent misissuance and provide a high degree of validation, DigiCert understand the importance of early detection for server operators and users alike. DigiCert believes that more efforts like CT are important to highlight CAs and help them stand out for their good certificate issuance practices.”