Google Chrome Leads Digital Certificate Clean Up

The Google Chrome Browser is being equipped with transparency logs that are designed to prevent potentially costly digital certificate errors by Certificate Authorities (CAs) and to guard against cyber-criminals issuing their own certificates.

Stopping Misuse

The move has been designed to improve all-round transparency, and to better protect both users and companies from becoming victims of certificate misuse.

Triggers A Warning Message If Not Logged

The change means that all CAs must now log every digital certificate they issue in certificate transparency logs so that any website with a secure socket layer (SSL) or transport layer security (TLS) certificate that isn’t logged will trigger a browser warning. The warning will tell users the website’s certificate doesn’t comply with Google Chrome’s transparency policy, and therefore, may not be safe.

In fact, any part of a website that’s served over an https connection that doesn’t comply with Google’s policy will not load and will display an error in Chrome DevTools.

The change applies to all TLS server certificates issued after 30 April, 2018.

Driving Positive Change

With Google Chrome reportedly being used by 60% of web users, this move is being seen by some as Google using its market dominance to drive better practices. It is expected, therefore, that most other major browsers will follow Google’s example.

What Does This Mean For Your Business?

This is really just an industry change that primarily affects parties issuing the certificates e.g. a Certificate Authority. The change isn’t retroactive and so isn’t going to affect SSL certificates that were issued but not logged before April 30, 2018. This change will not (immediately) directly affect end users, although the clean-up effect that it may have on the whole business around certificates, and in thwarting some of the activities of cyber criminals could contribute towards a more secure internet generally. For example, cyber-criminals have been able to target internet users by finding ways to issue their own certificates.

The change should also give businesses a way to take action to protect themselves and their customers against any potential damage done to their business by mis-issuance of certificates.

This story should also be a reminder that from June, if your website doesn’t have a secure certificate i.e. if it doesn’t have https in the URL, Chrome will post a security warning to visitors which could mean that you lose enquiries and sales. Not having a secure certificate could also potentially mean that your website could suffer in the search engine rankings.

Posted by Andrew Sewell,

Comments