Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates (bleepingcomputer.com) 61

Posted by msmash from the taking-a-stand dept.
Starting today, Google Chrome will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log. From a report: By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details. This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.

  • You'll need an SPF record ... oh, and DKIM ... oh yeah, and DMARC ...

  • Another Google metadata sink? (Score:1)

    by Anonymous Coward

    So how is this going to be implemented? Every SSL cert is going to be sent to Google for "verification" or is the CT log going to be local and the browser will just search it every time?

    • Also what about locally signed certificates, using a corporate or Intranet CA, that's installed on all computers that might use those certs?

      That was, at one point, considered a best practice, but I assume this'll break that.

  • This seems more and more like an effort to compel website owner/operators to buy into the SSL certificate scheme.

    Revenue.

    • All websites with a fully qualified domain name qualify for a domain-validated certificate without charge from Let's Encrypt. Every certificate that Let's Encrypt issues is logged in CT.

      • Re: (Score:2)

        by Holi ( 250190 )
        Does Let's Encrypt verify identity, I can't find anything on their site about it.

        If a CA is not verifying identity then what use is their certificate?

        • Re: (Score:2)

          by tepples ( 727027 )

          Does Let's Encrypt verify identity, I can't find anything on their site about it.

          Let's Encrypt is a domain-validating certificate authority, which issues domain-validated certificates. Every such CA verifies that the person requesting a certificate is the same person who controls the domain's DNS. What other sort of "identity" did you have in mind?

          If a CA is not verifying identity then what use is their certificate?

          If a domain registrar is not verifying identity then what use is their domain?

        • Let's Encrypt doesn't issue EV certificates, so no, they don't verify real-world identity. They verify control of the domain name, just like everyone else issuing non-EV certificates. (Put another way, for DV certificates the domain is the identity.) The distinction between DV and EV certificates long predates Let's Encrypt, and their policies regarding domain validation are no more lax than most CAs'. Stricter, actually, since with LE you have to prove that you still control the domain at least once every

        • Re: (Score:2)

          by AmiMoJo ( 196126 )

          If a CA is not verifying identity then what use is their certificate?

          It allows your connection to the web site to be encrypted, preventing ISPs and other nefarious agents from spying on you to a limited extent.

        • Does Let's Encrypt verify identity, I can't find anything on their site about it.

          If a CA is not verifying identity then what use is their certificate?

          What identify are you trying to verify? The identify of the machine in question? That's called Domain Validation, and yes Lets Encrypt does that by requiring that you prove that the certificate being issued for domain x is actually for domain x by showing that the machine actually is in charge of domain x by changing something on domain x during the issuing process.

          If you're asking about the identity of the owner of the machine, well that's an Extended Validation certificate and Lets Encrypt doesn't issue t

  • internal apps / ipmi / other things that are not online don't need real certs much less running let's LetsEncrypt with ports open so that runs.

  • A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

    Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.

    Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.

    • A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

      Are those local, self-signed certificates or something that is registered somewhere?

      You could answer that question with five seconds on a search engine. Google Search for let's encrypt certificate transparency produces, as its first result, a document [letsencrypt.org] stating the following: "We submit all certificates to Certificate Transparency logs as we issue them."

    • Re: (Score:2)

      by kiviQr ( 3443687 )
      LetsEncrypt submits all certificates as they issue them: https://letsencrypt.org/certif... [letsencrypt.org] More details in cert transparency: https://www.certificate-transp... [certificat...arency.org]

    • Re: (Score:2)

      by Nkwe ( 604125 )

      A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

      Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.

      Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.

      In this context certificates perform two functions. 1) They provide a key pair which can be used to encrypt the connection, and 2) They provide a way to have confidence that the person / company on the other end of the network is who they say they are. Any certificate (a free self signed or Let's Encrypt certificate, or an expensive certificate from a commercial CA) can be safely used for just encryption. However if you care about validating who is on the other end self-signed certs are worthless, Let's Enc

