The security of online eCommerce transactions depends on SSL certificates and a system of validation by Certificate Authorities. The math behind SSL / TLS cryptography is sound if used properly, but the entire system depends on Certificate Authorities behaving as expected. They issue certificates, validate the identity of applicants, and make sure the SSL system isn’t abused. Every time a shopper makes a purchase from an eCommerce merchant, they implicitly trust the Certificate Authorities. That’s a problem, because although most Certificate Authorities deserve the trust they’re given, some do not.
Recently it was revealed Certificate Authority WoSign had persistently broken the rules that exist to keep web users safe. Over a period of several years, they had abused the trust placed in them. Browser developers reacted quickly to prevent any further damage, but that’s a case of closing the barn door after the horse has bolted.
What the web really needs is a way to make sure Certificate Authorities are doing their job properly, a monitoring system that would make any malfeasance immediately obvious.
That’s the goal of Certificate Transparency, a project from Google that aims to make Certificate Authorities open to scrutiny. Certificate Transparency is intended to make it difficult for CAs to issue certificates for a domain without the owner of that domain knowing about it. At the moment, any Certificate Authority can issue a certificate for any domain, and there’s no straightforward way for the domain owner to find out.
Certificate Transparency provides a monitoring system for all issued certificates — a log of all certificates that anyone can query. The logs are append-only lists of all certificates issued by CAs. They can be queried by anyone, so if a domain owner wants to know if a CA has maliciously or accidentally issued a certificate for their domain, they can simply send a request to the log.
Certificate Transparency will keep CAs honest by making it easy to find out when they’re behaving dishonestly or incompetently.
It’s possible to dream up any number of systems that would make the web safer and more secure, but it’s a pointless exercise if the major stakeholders, especially browser vendors, don’t act.
The good news is that starting from next year, Google intends to make Certificate Transparency mandatory. If CAs want Google’s Chrome browser to trust their certificates, they’ll have to comply with Chrome’s Certificate Transparency policy. All certificates issued after October 2017 will have to comply.
October 2017 is almost a year away, and there are any number of reasons that deadline might slip, but it’s encouraging that at least one major browser developer is being proactive about the problem of untrustworthy Certificate Authorities.
eCommerce shoppers and retailers — and everyone else who uses the web — must be able to trust that their private data won’t be delivered into the hands of criminals and others who would use it maliciously. Certificate Transparency is a welcome move in that direction.