Certificate Transparency works thanks to the ecosystem of people and organizations who set up and run user agents, logs and monitors. Join us!
Certificate Transparency was a response to the 2011 attack on DigiNotar and other Certificate Authorities. These attacks showed that the lack of transparency in the way CAs operated was a significant risk to the Web Public Key Infrastructure. It led to the creation of this ambitious project to improve security online by bringing accountability to the system that protects HTTPS.
An unknown attacker compromises DigiNotar, a Dutch CA, and issues rogue certificates for numerous domains. Over 500 fake certificates are detected. These certificates were used for man-in-the-middle attacks on traffic from Iran.
U.S. Certificate Authority TrustWave provided subordinate root certificates to a customer which could have been be used to create SSL certificates for nearly any domain on the Internet. CA missteps could lead to severe consequences.
The IETF accepts the Trans Working Group charter and begins work on the CT related RFCs.
Google launches their CT logs pre-populated with the certificates discovered by their web crawler.
The IETF publishes Certificate Transparency as RFC 6962.
DigiCert launches the first non-Google CT log to support the growth of the CT ecosystem.
Chrome announces that all EV certificates issued after January 1, 2015 will be required to be CT logged.
Although CT provides desirable security benefits, no single organization could convince the entire Internet to adopt and benefit from it at once. Similarly, user agents could not begin requiring all websites to support CT at once due to the risk of breaking large numbers of websites. So the members of the CT ecosystem worked together to define the standards and to incrementally deploy and later enforce CT.
crt.sh, a website offering a friendly environment to query Certificate Transparency logs is launched.
Facebook announces their Certificate Transparency Monitoring Tool that allows website owners to monitor issues of certificates for domains they own.
COMODO, a UK based CA, announces its contribution of a CT log to support the CT ecosystem.
CloudFlare launches their Nimbus CT log and Merkle Town, a site making it easy to monitor the CT ecosystems growth.
Microsoft announces support for Certificate Transparency in Active Directory Certificate Services.
Let’s Encrypt launch Oak, a free and open Certificate Transparency Log.
CloudFlare launches a CT Log monitoring service to help customers detect mississued certificates for their domains.
DigiCert launches a CT Log monitoring service to help customers detect mississued certificates for their domains.
The Certificate Transparency ecosystem has effectively monitored and fixed certificate anomalies since 2013. The CT ecosystem works as designed and provides meaningful protection to users.
Products are being launched that help website administrators use CT to protect their brands and their users, as well as being able to detect and respond accordingly when the CT ecosystem itself is not working as intended. This work is performed by a community and continues today, making the internet safer for everyone.
Facebook announces that CT helped it detect an internal policy violation and advocates for CT being required not only for EV certificates, but for all certificates issued by CAs.
It is discovered that Izenpe, a Spanish CA and log operator reused their production CT log signing key for test/development purposes, and had inadvertently produced a split view of their log. As a result they are ultimately disqualified as a log operator.
CT shows that Chinese CA WoSign/Startcom has backdated certificates, and would later be distrusted.
CT shows that US CA Symantec has misissued thousands of certificates. Ultimately all major platforms will distrust Symantec.
In version 68, Chrome began enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted. Main page connections served over a non-compliant connection began to display a full page warning, and sub-resources served over a non-compliant connection stopped loading.
All TLS certificates issued after October 15, 2018 must meet Apple’s Certificate Transparency (CT) policy in order to be trusted on Apple platforms.
French CA is found to have misissued numerous certificates and is distrusted.