Buzz
By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser developers are also expected to support this mechanism in the future, although they currently do not provide specific details.
This new policy was initially proposed by Google engineers in 2016 and was originally scheduled to take effect in October 2017 but was later postponed to 2018.
Chrome will issue warnings for SSL certificates lacking Certificate Transparency (CT)
Digital certificate providers (CAs) must log all newly issued SSL certificates
The CT registration policy mandates that Certificate Authorities (CAs), organizations issuing SSL certificates for HTTPS connections, must publish logs containing all SSL certificates they have issued each day.
These logs must be public, allowing browser developers, CAs, or independent researchers to freely investigate cases of certificate revocations at any time.
CA stores logs of privately issued certificates and only shares them with browser manufacturers during investigations of certificate errors.
Most CAs are currently publishing CT logs
With a market share exceeding 60%, Chrome has implemented a new policy. 'Chrome will require all TLS server certificates issued after April 30, 2018, to comply with the Chromium CT Policy,' shared engineer Devon O'Brien from Google in a discussion on Google Groups earlier this year.
'After April 30, 2018, when Chrome connects to websites distributing publicly trusted certificates not adhering to the Chromium CT Policy, users will start seeing full-page warnings indicating their connection is not CT-compliant,' O'Brien emphasized. 'Resources served over HTTPS connections that do not comply with CT will be unable to load and will display error messages in Chrome DevTools,' he added.
Initially, these changes are rolled out for the Chrome platform on desktop, including Chrome for ChromeOS, Linux, macOS, and Windows.
Google engineers have also added additional Chrome policy flags allowing Admins to disable CT log checks when Chrome is deployed within an internal network.
Explore more about distinguishing between HTTP, HTTPS, and SSL
The new CT policy is not yet effective
The new CT policy is not yet effective. This means older certificates issued before today, not logged in the CT record, will continue to function.
However, if a CA issues a new SSL certificate starting today and fails to log it in the public CT record, Chrome will display an error message.
The good news is that many CAs have started logging certificates in the public record and sharing data with each other. Merkle Town (managed by CloudFlare) and Crt.sh (managed by Comodo) are two websites aggregating CT logs.
These tools were released earlier this year when a government-controlled CA in South Korea issued SSL certificates for the entire high-level domain *.go.kr, enabling administrators to block traffic for all TLD-based websites.
This discovery was made by an independent security researcher, and with publicly available CT records becoming a practical standard, we anticipate similar cases emerging in the future.
If you prefer not to use Chrome, you may opt for the Mozilla Firefox browser. Recently, Firefox 59.0.3 is now available for Windows 10, featuring several bug fixes for a significantly improved user experience.
