Certificate Transparency — The bright side and The dark side

This post is the first in a series of 3 posts about this technical but extremely important topic. We will update the link to the second post once we publish it.
At Appsecco, we look at the world pragmatically, we are always keen to understand all the aspects of anything that is relevant to security. So we decided to look at Certificate Transparency, a Google initiated project.
What is Certificate Transparency?
Certificate Transparency project or CT in short is meant to log, audit, and monitor certificates that Certificate Authorities (CA) issue. The primary aim of this project was to prevent CAs from issuing public key certificates for a domain without the domain owner’s knowledge.
Before we proceed, it will be helpful to revisit key terms:
Certificate Authority
A Certificate Authority (CA) is an entity that issues digital certificates. A CA is a trusted third party that is trusted by both the owner of the digital certificate and the party relying upon the certificate. Thus CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place.
Digital Certificates
Digital Certificates are verifiable small data files that contain identity credentials to help websites, people and devices represent their authentic online identity. In the context of this post, we care about SSL/TLS certificates which are a type of Digital Certificates that binds the ownership details of a web server to cryptographic keys.
Why did Google come up with Certificate Transparency?
Google’s Certificate Transparency project tries to fix several structural flaws in the SSL/TLS certificate system, especially the abuse of Certificate Authority. CT project has come to light and became compelling because of the incidents like following:
- In December, 2013, Google announced that they noticed unauthorised digital certificates issued for several Google domains by an intermediate CA linking back to ANSSI, a French Certificate Authority(that operates with French intelligence agencies). The ANSSI attributed the incident to “Human Error”. Google pointed out the importance of CT in that announcement.
This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical.
- In December, 2012, Google announced that they noticed unauthorized digital certificates issued for “*.google.com” domain by an intermediate CA linking back to TURKTRUST, a Turkish certificate authority. Google detected the issue using Chrome’s certificate pinning(Certificate Pinning is a mechanism by which applications indicate that only specific CAs are allowed to issue certificates on their behalf).
- In August, 2011, Google announced that they noticed fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google. Attackers compromised DigiNotar’s infrastructure to issue hundreds of unauthorised digital certificates.
Certificate Transparency — Where is it now?
CT is now an Internet Engineering Task Force (IETF) open standard for monitoring and auditing such digital certificates. Through a system of certificate issuance logs, monitors and auditors, CT allows website users and domain owners to identify mistakenly or worse maliciously issued certificates. This aids in identifying unauthorised CAs.
The idea behind CT is to provide more transparency around the issuance of x.509 certificates and better protect the users.
In the next post, we will look at the bright side of Certificate Transparency and the problems it is trying to solve in more detail.
References
Thank you for reading this article. If you enjoyed it please let us know by clicking that little heart icon below.
At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.
If something is accessible from the internet or a person’s computer we can help make sure it is safe and secure.


