StartCom, one of the few Certificate Authorities (CAs) to offer free certificates (with paid renewals) before Let’s Encrypt launched, is now also one of the first to log all of its SSL certificates to the public Certificate Transparency system.
Certificate Transparency (CT) is an open and public framework that allows the monitoring and auditing of issued certificates to be done by anyone. This would help expose rogue certificates in a similar way to how open source software allows bugs or backdoors to be found by anyone interested to look at the code.
Google has required that all Extended Validation certificates be issued under the CT system since January 1, 2015; otherwise they wouldn’t be accepted by its Chrome browser. However, regular Domain Validation certificates could still be issued outside of the CT system.
Google demanded that Symantec start issuing all of its certificates by June 1, 2016, after Symantec’s multiple blunders in allowing its certificates to be issued for Google and other companies’ domains without their knowledge and approval. Google discovered this by accident, but it wanted Symantec to use the Certificate Transparency system in the future so this doesn’t happen anymore.
Google had also requested that China’s CNNIC Certificate Authority would serve its certificates under the CT system, after it was found issuing rogue certificates.
The goal is to eventually log all issued certificates into the CT system. However, no browser vendor has made it mandatory yet, likely because they know there might be some pushback from Certificate Authorities. That’s why it’s important that some CAs start leading the way here, just like StartCom is doing it now.
Although StartCom is one of the first CAs to adopt Certificate Transparency for all of its certificates, it’s not clear if this was already pre-planned or whether it’s a reaction to a recent vulnerability found in how the company issues certificates. On March 9, this year, one developer managed to issue a StartCom certificate without having to validate the ownership for that domain. This is similar to how a third party would get a certificate issued for Google.com, without having to prove ownership of Google.com.
Either way, it’s good to see that StartCom reacted promptly to this vulnerability, and that it did so by embracing Certificate Transparency, rather than looking for some other less preferable solution. Certificate Transparency is supposed to stop these sort of situations by making it obvious to everyone that a wrong certificate was issued for a certain domain.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.