HTTPS lock

Starting today, the Google Chrome browser will show a full-page warning whenever users are accessing an HTTPS website that’s using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log.

By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details.

This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.

CAs must log all newly issued SSL certificates

The CT logging policy dictates that Certificate Authorities (CAs) —the organizations that issue SSL certificates for supporting HTTPS connections— must publish logs with all the SSL certificates they have issued each day.

These logs must be public, so browser makers, fellow CAs, or independent researchers can freely investigate instances of misissued certificates at any time.

CAs have always kept logs of the certificates they issued, but these were private and only made available to browser makers when they were investigating instances of certificate misissuance.

Most CAs are publishing CT logs already

With a market share of over 60 percent, most CAs saw the writing on the wall and began publishing public CT logs starting last year when it became evident that Google was set to implement this new policy in Chrome.

“Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy,” Google engineer…