Certificate Transparency on SSL’s

peter-martin .

What is Certificate Transparency?

Details on this new technology are still quite confusing so we’ve tried to explain it in plain English as much as possible.

Certificate Transparency is a method to check the validity of SSL certificates on web sites. It’s been implemented as in the past few years’ hackers have managed to get SSLs issued for bogus domains like banskfamerica.com and emergencypaypal.net. Combined with a green padlock it’s then very easy for a customer to be duped into handing over personal data.

Therefore, Google has decided to implement an additional level of security called Certificate Transparency or CT for short. It works by holding a public and un-editable version of a list of SSLs. This list is open for anyone to read and scrutinise. The idea being that large brands like PayPal and Bank of America can monitor this list and report SSLs which are bogus.

Browsers will then monitor this list and display a warning for SSL certificates that are either not in the SSL list or verified as bogus.

At this stage it’s only been implemented by Google in Chrome. Roughly 30% of the UK browser market runs on Chrome so it could potentially have a big impact.

How does this affect me?

It’s still early days but there shouldn’t be any impact for any Nimbus customers. All SSLs issued by Nimbus from the 1st of June 2016 will be compatible with CT. There have been no cost increases associated with this change and it’s unlikely that there will be any in the future.

You can use a third party tool like, https://sslmate.com/certspotter/, which can monitor the SSL lists for your company name or similar sounding names but we would only recommend this if you are a large brand that might be an easy target for a hacker.

Internal Domains

If you use an internal domain like nimbushosting.internal or nim.local that’s covered by an SSL they may starting flagging with an error. The easiest ways to fix this is to use an alternative browser or add an CT exception into Chrome. Thankfully this is really only going to affect large corporates.

The CT technology is still evolving and none of the other browsers have adopted this yet so it’s possible that the technology or how it’s implemented will change.

×