Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates
#1
Quote:Starting today, the Google Chrome browser will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log.

By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details.

This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.

CAs must log all newly issued SSL certificates
The CT logging policy dictates that Certificate Authorities (CAs) —the organizations that issue SSL certificates for supporting HTTPS connections— must publish logs with all the SSL certificates they have issued each day.

These logs must be public, so browser makers, fellow CAs, or independent researchers can freely investigate instances of misissued certificates at any time.

CAs have always kept logs of the certificates they issued, but these were private and only made available to browser makers when they were investigating instances of certificate misissuance.

Most CAs are publishing CT logs already
With a market share of over 60 percent, most CAs saw the writing on the wall and began publishing public CT logs starting last year when it became evident that Google was set to implement this new policy in Chrome.

"Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy," Google engineer Devon O'Brien wrote in a Google Groups discussion earlier this year when he announced the new deadline.

"After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full page interstitial indicating their connection is not CT-compliant," O'Brien added. "Sub-resources served over HTTPS connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools."

These changes have rolled out to Chrome desktop platforms first, which include Chrome for ChromeOS, Linux, macOS, and Windows.

Google engineers have also added a Chrome policy flag that allows sysadmins to disable the CT log-checking behavior in instances Chrome is deployed inside an intranet.

New CT policy is not retroactive
The new CT policy is not retroactive. This means that older certs issued before today that have not been recorded in a CT log will continue to work.

But if a CA has issued a new SSL cert starting today and has not recorded it in a public CT log, Chrome will show an error.

The good news is that many CAs have started logging certificates in public logs and sharing data with each other. Merkle Town (operated by CloudFlare) and Crt.sh (operated by Comodo) are two websites that aggregate CT logs.

Such tools have been instrumental earlier this year when a user noticed that the South Korean government-controlled CA had misissued an SSL certificate for the entire *.go.kr top-level domain, allowing its operator to intercept traffic for all websites using that TLD. That discovery was made by an independent security researcher, and with public CT logs now becoming a de-facto standard, expect more cases like this to surface in the future.

SOURCE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  It was a bad week for millions of people who rely on Google for apps and Chrome exten mrtrout 0 681 06-03-2023 , 04:09 AM
Last Post: mrtrout
  Google Chrome emergency update fixes first zero-day of 2023 mrtrout 0 484 04-15-2023 , 07:53 PM
Last Post: mrtrout
  Google Chrome emergency update fixes 9th zero-day of the year tarekma7 0 600 12-05-2022 , 04:19 PM
Last Post: tarekma7
  Bitdefender Free will be retired starting December 31st. mrtrout 0 505 12-10-2021 , 08:43 AM
Last Post: mrtrout
  Why You Suddenly Need To Delete Google Chrome mrtrout 0 611 09-02-2021 , 08:59 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)