Creating a more secure internet with Certificate Transparency

Meet Linus Nordberg, a NORDUnet software developer on a mission: Making the internet safer for everyone, and working together with Google to make it happen.

The technology is called Certificate Transparency, and is designed to create a more secure internet. Google is the main force behind the development and implementation of Certificate Transparency, but others are taking part as well. Linus and his colleague Magnus Ahltorp have been working on some important pieces of the puzzle since autumn 2014, financed by GÉANT and NORDUnet.
Linus explains:
Certificates are used to authenticate websites and to create an encrypted channel between client and server. This allows a user to be sure that a website claiming to be her bank is actually her bank and not an imposter trying to trick her, and it prevents outsiders from listening to the transactions. But there are loopholes in the SSL certificate technology currently used. The issue is "misissuance", i.e. a certification authority having a key compromised, fooled into signing the wrong thing or just being sloppy with what they sign."

SSL certificates open to scrutiny
" What we are doing is creating transparency by making the issuance and existence of SSL certificates open to scrutiny by domain owners and certification authorities. Certificate Transparency makes it possible for domain owners (i.e. the customers of certification authorities) to check that a certificate for their domain name isn't issued by anyone else than "their" certification authority, and not at any time they wouldn't expect."
" We’re creating an open framework of certificate logs. In this way we can detect security breaches and prevent them from spreading. Certificate Transparency will be a big step forward in protecting the internet, provided it will spread widely to browser vendors and certification authorities."

Few certificate logs
According to Linus, NRENs have an important role to play in developing and spreading Certificate Transparency.
" For one thing, NRENs have the resources and the infrastructure to run a certificate log. And also, it is in their best interest to make the internet safer for their users. For now NORDUnet is the only organisation besides Google and a group of certificate authorities to run a certificate log. Unlike these logs, our implementation is designed for sharing, helping smaller organisations to team up and running a log together.
The NORDUnet log has been up and running for a year now, and at the end of 2015 NORDUnet submitted it for inclusion in Chrome.
" We hope that it will be included in the security setup of the Google Chrome browser. But that's not our call," says Linus Nordberg.

Into the mainstream
When asked about Certificate Transparency finding its way into the mainstream of the internet, Linus Nordberg points to the big browser vendors:
" You have to ask Mozilla, Apple and Microsoft. The browser vendors are a very important key to implementing Certificate Transparency on a large scale. For now, only Google Chrome runs this feature. If you are a Chrome user you may have noticed the url bar turning red or green – green meaning that the url has been verified by at least three logs. Furthermore, Firefox is working on the technology as well."
Linus Nordberg points out, that although not widely spread yet, Certificate Transparency is making a difference already.
" It is already forcing certification authorities to correct mistakes. As an example, the Certificate Transparency logs discovered, that in September Symantec had issued test certificates, due to a mistake made during a Symantec-internal testing process."

Catch a lying log
Apart from setting up a certificate log, Linus Nordberg is also working on designing a protocol to ”catch a lying log”, a so-called gossip system, preventing attackers to succeed in creating a split view and presenting different views of the log to different users.
" That is quite a challenge. You need to produce an efficient gossip protocol without compromising the privacy of the user. You have to do it without revealing browser history, and that is difficult."
Currently 5.9 million certificates are stored on the NORDUnet certificate log server. The NORDUnet and Geant Certificate Transparency project runs until April 2016.

For more information on Certificate Transparency:
The Google Certificate Transparency project: https://www.certificate-transparency.org/
The IETF Working Group on Certificate Transparency: https://datatracker.ietf.org/wg/trans/charter/
A quick look into gossiping mechanisms for Certificate Transparency: https://tools.ietf.org/html/draft-linus-trans-gossip-ct-02