Monitor Your Domains with Certificate Transparency

Bruce Morton

Over the last few years, we’ve witnessed publicly trusted SSL certificates issued to domain names that were not authorized. These miss-issuances are typically caused by attackers or simply a mistake by a certification authority (CA).

Miss-issuance has been detected in a brute-force manner. Typically, when someone discovers a suspicious issue, they may report it and it may be investigated. Eventually, the root of the problem is found and the case is resolved. However, there is no monitoring. There is no system to help ensure that the same problem won’t happen again in the future.

Members of Google have proposed Certificate Transparency (CT). The proposed specification for CT is documented in RFC 6962. This RFC will likely be updated and a new version will be released by the IETF.

The goal of CT will be to log all SSL certificates in many publicly available logs. Trust would only be provided to logged certificates. The logs would be auditable for reliance, and also monitored to detect when a certificate was issued for any specific domain name.

This will be a huge benefit for the Internet as the solution scales for all domains and all domain name owners, regardless of their size or the use of their site. Domain name owners will be allowed to monitor the logs, which will probably be a service offered to them by a third party such as a big search engine firm or their CA.

Google is pushing to start CT with extended validation (EV) certificates in February 2015. Their plan is to only allow the EV indication in Chrome if the EV certificate has been logged using the CT methodology.

As such, the CAs are working to support the CT requirement and are performing the following:

  • All current EV certificates that will still be valid in 2015 will be whitelisted in the CT logs.
  • Implementation of CT for all EV certificates that issued in 2015. In most cases, the CT implementation will start in 2014.
  • Some certificate subscribers may be concerned that they have certificates issued to internal domain names. In this case, the subscriber will be given the option to choose privacy for these certificates and the full domain name will not be logged.

Once CT has been deployed for EV certificates, then we will see firms provide monitoring functions. So, even if the other browsers do not support CT, the logs can still be monitored even if the other browsers still accept unlogged certificates.

We expect if the EV certificate project goes well, the requirement will be extended to all SSL certificates at a future date. Eventually all SSL certificates deployed will be monitored through CT and domain owners will know if a certificate is ever miss-issued to a domain name they own.

Updated October 6, 2014: Entrust will be deploying Certificate Transparency in December 2014. At that time the following will occur:

  • All new EV SSL certificates will include the signed certificate timestamp (SCT) and will be logged in a public log
  • All existing non-expired EV SSL certificates will be submitted to Google to be included in a public log

Google has determined there will be no privacy for EV SSL certificates using internal domain names. All certificates will be logged with complete contents.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


  1. Jerry Lerman February 23, 2015 Reply

    Just curious about EV and Superfish. Were Lenovo users still seeing EV indication (green locks) in Chrome and Firefox when their traffic was being intercepted by Superfish? I would assume not, but I don’t see EV mentioned in relation to Superfish in any articles.

    • Bruce Morton Author
      Bruce Morton February 24, 2015 Reply

      If the Levono user went to an EV site, then Superfish would proxy the communication. Since Superfish has its own root certificate which is not EV compliant, it could not issue an EV certificate or any certificate which would provide the EV indication. As such, the Levono user would not see the EV green indication. Also, Certificate Transparency will not be used for any certificate signed by the Superfish private key.

Add to the Conversation