The Problem With Certificate Authorities


SSL certificates are an essential component of online security and privacy. They are used to encrypt connections between browsers and hosts, and, just as important, they are used to verify that the host is authorized to serve content from a domain. Without that verification, it is impossible to be certain that a client is connected to the expected domain and not to a malicious host that can read and modify data traveling over the connection.

For SSL certificates to be useful, the identity of the applicant must be verified before a certificate is issued. That is the role of Certificate Authorities. CAs verify the identity of the applicant and that they have legitimate control over a domain: domain validation, organization validation, and extended validation involve increasing levels of scrutiny and stringency.

After validation, Certificate Authorities sign SSL certificates with their root certificate. Browsers trust a limited number of root certificates absolutely. If an SSL certificate is signed by a trusted root certificate, it is trusted by browsers.

Certificate Authorities are the weak link in the chain. If a CA is hacked, subverted, or incompetently managed, it may issue and sign certificates without the permission of a domain’s legitimate owner.

In 2011, Dutch Certificate Authority Diginotar was hacked and illegitimately issued signed certificates for many domains, including Google-owned domains. WoSign and its subsidiary StartCom issued unauthorized certificates for various domains; their root certificates were removed from browsers, causing disruption for their customers. Symantec issued thousands of certificates without the permission of domain owners.

Certificate Transparency provides added accountability for Certificate Authorities and a mechanism for domain owners and browser developers to check whether certificates have been issued without proper authorization.

What Is Certificate Transparency?


Certificate logs are at the heart of Certificate Transparency. Each log is a network service that contains a publicly accessible list of SSL certificates. The logs are append-only — certificates can be added, but not removed — and use advanced cryptographic techniques to guarantee they haven’t been tampered with.

Under Certificate Transparency, Certificate Authorities are required to add every certificate they issue to one or more logs. Domain owners and other interested parties can check the logs to see if certificates have been issued without permission.

The logs are only effective if Certificate Authorities are required to add all the certificates they issue. To motivate Certificate Authorities and protect its users, Google Chrome will no longer trust any certificate that has not been added to a certificate log, even if it has been signed by a CA’s trusted root certificate.

Before Certificate Authorities issue an SSL certificate, they can submit a pre-certificate with the relevant details to a certificate log, which will respond with a Signed Certificate Timestamp (SCT), proof that the certificate has been logged. The SCT should be included in the SSL certificate when it is issued so that browsers can verify that it has been logged. This is the most common way to prove that a certificate has been logged, but there are other techniques, including a TLS extension and OCSP stapling, both of which require a special server configuration, whereas adding the SCT to the certificate “just works”.

The Certificate Transparency framework includes other components, such as monitors that watch certificate logs for suspicious certificates, and auditors, which are software components that can be included in browsers and other software to verify that logs are behaving correctly and that a specific certificate is included in a log.

Benefits of Certificate Transparency


Certificate Transparency addresses a serious problem with the Certificate Authority system, enhancing security and privacy for domain owners and their users and customers.

  • Certificate Logs make it easy for domain owners to discover if a certificate has been issued for their domain by any Certificate Authority.
  • If an SSL certificate is issued without permission by a CA, it won’t be trusted by Google Chrome (and other browsers in the near future).
  • When a Certificate Authority “goes rogue” it will be easier to find and mitigate the problem, limiting risk and disruption.
  • The SSL certificate system isn’t entirely dependent on the trustworthiness of every CA with a trusted root certificate.

In short, Certificate Transparency will make domain owners, server hosting clients, and web users safer.

What should I do to stay protected?

Domain owners should choose a Certificate Authority that supports Certificate Transparency to ensure that visitors to the site using Google Chrome are not presented with a warning message.

We recommend purchasing certificates from Comodo as they fully support Certificate Transparency and have been a trusted Certificate Authority for years.

Looking for more ways to keep your server secure? Contact us today to discuss our extensive server management and security solutions.