Google Adds Certificate Transparency Log for Untrusted CAs

Google announced this week the introduction of a new Certificate Transparency (CT) log for certificate authorities (CAs) that have been removed from trusted root certificate programs and ones that are in the process of being included.

The goal of the Certificate Transparency project is to provide an open framework for monitoring SSL certificates. CT makes it possible to quickly detect certificates that have been issued by mistake or for malicious purposes, and identify rogue CAs.

Google has now decided to expand CT with logs that track previously trusted CAs and new CAs that are in the process of being included in browser-trusted root programs.

The search giant has pointed out that including these CAs in trusted logs can be problematic due to revocation policies and the possibility of cross-signing attacks. That is why the new log, dubbed “submariner,” is not trusted by Chrome, although it is listed in the Known Logs page and has the same API as existing logs.

For the time being, the new CT log includes the certificates chaining up to the root certificates recently discontinued by Symantec, and certificates that are pending inclusion in Mozilla products.

Recommendations for additional certificates that should be included in the new CT log can be sent to google-ct-logs(at)googlegroups.com.

“Everyone is welcome to make use of the log to submit certificates and query data. We hope it will prove useful and help to improve web security,” Martin Smith, CT software engineer at Google, said in a blog post.

Google announced last week that it started tracking the use of HTTPS on the world’s top 100 websites. The new service also includes a certificate transparency feature that allows users and administrators to check the name of the certificate issuer for a specified website.

Related Reading: Let’s Encrypt Issues More Than 1 Million Digital Certificates

Related Reading: Amazon Offers Free SSL/TLS Certificates