Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.
In the early days of Certificate Transparency there weren't many CT log operators, which compelled Google to require that all certificates are logged to at least one Google-operated log. Starting in March 2021, Chrome deployed and continued to improve SCT auditing, which aims to provide additional security no matter where the certificates are logged. From April 2022, Chrome will use a new CT policy that removes the “One Google Log” requirement.
To understand why the "One Google Log" requirement existed, we have to understand that, when a certificate is recorded, the CT log effectively issues a promise (in the form of a Signed Certificate Timestamp, or SCT) to publish it to the public. Although we expect that all CT logs will follow through and deliver on their promises, we need technical measures to ensure that they do.
Unfortunately, that's easier said than done. The usual way to test CT log operation is to constantly submit certificates and check if they are being published, but this only verifies correct operation when there isn't malice involved. It's still possible for multiple CT log operators to collude and hide a certificate. Such a certificate would be accepted as valid, on the account that it contains all the right SCTs.
This is where SCT auditing comes in—it enables verification of certificates actually observed in public. This additional layer of security means that fraudulent certificates—should they happen—can be discovered. Google doesn't necessarily need to see all public certificates via their CT logs. If you'd like to learn more about SCT auditing, we've written about it before on this blog. In addition, there's also a freshly-released paper from the Google team, titled SCT Auditing in Certificate Transparency, that's worth a look.
Chrome's new generic CT policy that doesn't mention Google's CT logs is a big step forward for the CT ecosystem. In addition, the removal of the “One Google Log” requirement means that Google's CT logs are no longer a single point of failure, at least in theory. In practice, further CT log operators will be needed to make the system more resilient.
Chrome's new CT policy will be released with Chrome 100 on March 29th, but will apply to certificates issued from April 15th onward. When Apple updated their policy in April 2021, we wrote how it took a different approach from Chrome, leading to two major companies having different requirements. That was worrying. With Chrome's latest policy update, the CT policies are nominally the same, although both companies will continue to maintain separate CT log lists.