|
|
Not everything is as safe as it seems on the Internet, but Certificate Transparency (CT) is a positive thing. Chances are you've interacted with CT without realizing it, especially if you've ever received a warning about a website's security certificate. So what is Certificate Transparency and how does it fit into the overall privacy protection landscape?
Designed to prevent fraudulent SSL certificates from being issued, this system works by registering and monitoring all certificates in a public, verifiable record. As you explore further, you will learn how this mechanism improves web security and ensures accountability for certificate authorities.
Table of contents
What is Certificate Transparency?
How does certificate transparency work?
Benefits of Certificate Transparency
What are pre-certifications and why are they useful?
What is Certificate Transparency?
Certificate Transparency is a public log that aims to mobile app development service improve the security of the SSL/TLS certificate ecosystem by allowing anyone to audit certificates in real time. CT prevents unauthorized certificates from being issued and detects any incorrectly issued certificates. It significantly reduces the risk of undetected certificate errors by providing a mechanism for continuous external audit of the certificate system.
At its core, Certificate Transparency involves maintaining comprehensive “application-only” logs (logs that only allow additions, no changes, or deletions) of issued SSL/TLS certificates. These Certificate Transparency logs are publicly available and verifiable, ensuring that any organization can verify the certificates at any time. This accountability helps identify unauthorized certificates and mitigate man-in-the-middle (MITM) attacks that could otherwise compromise secure communications.
How does certificate transparency work?
Certificate Transparency requires CAs to submit newly issued certificates to CT logs. These public logs are tamper-proof, meaning any attempt to change, delete, or revoke records can be easily detected. Each log entry is timestamped and cryptographically signed, providing a secure and verifiable way to track the issuance of certificates.
Once a certificate is logged, it receives a Signed Certificate Timestamp (SCT) – proof that the certificate has been logged. Web servers then use these SCTs to demonstrate to connecting clients that their certificates are transparent and part of the public record. Clients, such as web browsers, can check these SCTs against logs, ensuring that the certificate is legitimate and that it was not issued maliciously or in error.
Here's a quick step-by-step overview of how CT works:
Create a pre-certificate : The Certification Authority (CA) creates a pre-certificate containing the same information that subsequent SSL/TLS certificates will contain.
Send to log server : The pre-certificate is sent to a trusted log server.
Log Server Response : The Certificate Transparency log server accepts the precertificate and responds with a “signed certificate timestamp (SCT)”. This SCT is essentially a promise from the CT log server to add the certificate to its log within a certain period of time, known as the Maximum Merge Delay (MMD).
|
|
發表於 14:19:14