5

I am reading a bit on the certificate transparancy project initiazed by google. (More info at http://www.certificate-transparency.org), this technology tries to introduce transparency in the creation of CA certificates. Their goal is that all SSL Certificates would be logged in multiple, publicly available logs run by independent companies and that browsers would only provide trust to certificates that are logged. Domain owners and interested parties would monitor the logs to detect certificates that were either misissued by the CA or not actually authorized by the organization (source).

I can't find a lot online on the adoption of this technology, is it really a game changer that in the future will prevent hacks like the digicert incident? Or is this just an initiative that isn't widely adopted?

http://www.certificate-transparency.org/known-logs

KojoUzochi
  • 343
  • 2
  • 9
  • 1
    If you want a long read this article and the associated research paper (16 page PDF) might be interesting for you. They treat CT as well as other mechanism: 2017-12-21, Johanna Amann et al, [*Mission accomplished? HTTPS security after DigiNotar*](https://blog.apnic.net/2017/12/21/mission-accomplished-https-security-diginotar/) – StackzOfZtuff Jan 26 '18 at 10:44

1 Answers1

7

As of today (January 25, 2018), adoption of Certificate Transparency is not ubiquitous, but it is starting to gain momentum. Let's Encrypt logs all their certificates to CT logs, and several major CAs like DigiCert and Comodo run their own CT logs. Google Chrome already displays Certificate Tranparency information in its Dev Tools, and Firefox plans to add support in the near future.

Starting in April 2018, Google Chrome plans to start enforcing the use of Certificate Transparency in all newly issued certificates by refusing to treat them as valid unless they're included in at least two distinct, qualified Certificate Transparency logs. Once that happens, Certificate Transparency adoption will undoubtedly take off rapidly, as very few site operators will be willing to use a certificate that is not trusted by Chrome.

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
  • 1
    It is also covered by an RFC: https://www.rfc-editor.org/info/rfc6962 – Patrick Mevzek Jan 25 '18 at 20:12
  • @PatrickMevzek: that RFC doesn't cover any detailed implementation status updates, does it? – KojoUzochi Jan 26 '18 at 09:30
  • No, but that is expected at it is the role of an RFC, it just specifies a standard. It does not track if and how it is implemented. It is also not changed in anyway once published. Some RFCs just get moved to Historic status when it is seen noone will ever implement them. Note that there is an IETF Working Group called TRANS and many things are discussed there related to CT. See https://datatracker.ietf.org/wg/trans/charter/ and https://mailarchive.ietf.org/arch/search/?email_list=trans for the mailing list archive – Patrick Mevzek Jan 26 '18 at 14:16