Chrome CT Enforcement
April 9, 2018
Announced in 2016 but postponed until now, Google has decided that all web certificates issued after April 30th, 2018 must comply with the Chromium CT Policy in order for the Chrome web browser to honor them. When Chrome visits a website with a certificate issued after this date that does not comply with the Chromium CT (Certificate Transparency) policy, it will display a full page warning notifying the user that their connection is not CT-compliant. To see what this will look like, check out this link
This policy has applied to Extended Validation(EV) certificates since 2015 and is being expanded to all certificates on April 30th.
In order for a certificate to comply with the CT policy, it must be registered with an external logging registry, referred to as a Certificate Log. There are a number of Certificate Logs, both affiliated with Google and not. They are publicly queryable and append-only, meaning that anyone can view the logs, but no one can alter any information inside. These logs are continually monitored for suspicious activity and designed to limit the possibility of fraudulent certificates. In short, this is happening to make the web more secure.
From a technical perspective, CT compliance means that all certificates issued after April 30th must present the Chrome browser with a
Signed Certificate Timestamp, or SCT during the connection process. SCTs are issued by a Certificate Log once a certificate has been successfully registered with it and act as proof that the certificate is CT-compliant. There are several accepted methods of delivering the SCT, all of which are detailed in the above linked Chromium CT policy.
All Let’s Encrypt certificates issued through the Section platform since March 30th comply with this new policy – if your application is provisioned under Section Let’s Encrypt, you are all set. If you are using a certificate from an outside provider, you should verify that any new certificates will comply with Google’s Chromium CT policy. You can determine the status of your current certificate by loading a page on your site with the security section of the Chrome network tab open as depicted below. If you have no Certificate Transparency section, then your certificate is not CT compliant.