0

When you open up Chrome's DevTools and switch to the Security Tab you'll see the message This request does not comply with Chrome's Certificate Transparency policy. on some origins. (Example: https://de.ioam.de when you visit https://www.sportschau.de/index.html)

I know the concept of Certificate Transparency in general but I neither know what Chrome's Certificate Transparency policy is nor do I know what the impact of this statement is.

Obviously Chrome establishes the https connection to this host, but what's wrong here?

Will https connections to affected origins be blocked in the future?

HorstKevin
  • 1,328
  • 2
  • 14
  • 27

2 Answers2

2

Chrome's Certificate Transparency policy describes the number of distinct Google and non-Google logs that the certificate must have been logged to at the time it was issued. Certs with longer lifetimes must be logged to more logs in order to be trusted by Chrome. This is a relatively new enforcement (April 2018) so it only applies to certs issued since that date.

The cert for the domain in question was issued 22-Dec-2017 so Chrome still makes an https connection to the affected origin today. When that cert expires 21-Dec-2020 if the new cert also does not comply with Chrome's CT policy then it will not be trusted.

Matt Slonetsky
  • 197
  • 4
0

According Chrome's certificate transparency policy, all EV certs are required to be CT Qualified to be recognized as EV, and other certs may be required to be CT Qualified basically at their discretion. The example given is that, in response to a security incident at a CA, all certs from that CA may be required to be CT Qualified.

That seems to be slightly dated though, as you can see here in version 68 Chrome started requiring that all certificates issued after April 30, 2018 be CT Qualified.

Basically, due to concern about issues with CAs improperly issuing certificates (Google became quite upset about issues with Symantec when they found out Symantec had improperly issued a cert for www.google.com) Chrome now requires that all certificates be included in CT logs. This doesn't prevent mis-issuance, but it does allow it to be detected much easier.

When Chrome says that a certificate doesn't comply with its Certificate Transparency policy, it just means that it hasn't been included in the proper CT logs. Chrome is essentially trying to tell you "That's a valid certificate for the domain, but it's not in the CT logs, and due to past issues with certificates being mis-issued we don't want to vouch for its authenticity."

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50