Recently, certain Certificate Authorities (CA) sent out emails to their customers about Certificate Transparency (CT). The emails urged users to enter their non-EV SSL Certificates in both Google’s CT log and one other publicly trusted CT log, such as DigiCert’s. If customers did not comply, the emails warned that their domains could be marked as “untrusted” in Chrome after June 1, 2016.
This email worried some domain owners and made some admins wonder if non-EV SSL Certificates should be registered in a CT log.
In short, yes, all SSL Certificates can be and should be logged. Logging OV SSL Certificates is a best practice that offers all the benefits of logging EV SSL Certificates. Further, logging OV Certificates strengthens overall security with no extra cost to domain owners.
CT is an open-framework that CAs, domain owners, or other interested parties use to log their SSL Certificates. This framework helps CAs and domain owners log all SSL Certificates, ensure that those certificates are used correctly, and alert CAs and domain owners when a new certificate is issued for a particular domain. Google created CT to protect CAs, domain owners, and end-users against certificate-based threats.
For example, in July 2011 DigiNotar a Dutch CA issued a fraudulent Wildcard SSL Certificate for Google. Cybercriminals used the fraudulent certificate to perform a man-in-the-middle attack. Later, DigiNotar admitted to issuing several more unauthorized SSL Certificates. Further investigation revealed that DigiNotar mis-issued over 530 certificates. More recently, in 2015, Google discovered that CNNIC issued an intermediate SSL Certificate that a firm based in Egypt used to spoof Google domains.
Because of situations like these rogue or compromised CAs, as well as mis-issued or stolen certificates, Google saw the need to create CT as a way to track, monitor, and audit SSL Certificates. Currently, Google requires EV SSL Certificates to be logged. For even better security, logging OV SSL Certificates can help ensure that domain owners are alerted if their certificate is ever compromised.
Benefits of Logging OV SSL Certificates
Here are some key benefits of registering OV SSL Certificates in a CT log:
- Shorter detection time leads to shorter revocation process. Because CT monitors in near-real time, domain owners and CAs are alerted much faster if an SSL Certificate is inadvertently or maliciously issued for a particular domain. Before CT, domain owners might not have known about a mis-issued certificate for weeks or even months. With CT, mis-issued certificates can be found in hours. This streamlined detection results in an overall faster mitigation process.
- Logging OV SSL Certificates is free and easy to do, and it allows domain owners an efficient and convenient way to guard against certificate-based threats and is free. For DigiCert customers, OV SSL Certificates can be logged by contacting our support team.
Ultimately, there is no reason not to publish OV SSL Certificates along with EV SSL Certificates. Logging OV SSL Certificates creates a better shield against certificate-based threats, costs nothing for domain owners, and requires only a simple phone call to opt-in.