Transparent SSL Certificates – What Does it Mean, How to Get it and What’s the Fuss
Building a brand online relies on trust. Business growth online relies on website which can inspire trust of their visitors – to fill out forms, enter their payment details or even just to sign up for a newsletter. Since we live in a world where a simple click can mean lost private data, stolen credit cards or installed malware, it’s more important than ever to make sure that our websites deserve this trust.
What is certificate transparency (CT)?
In their mission to make web a safe place, couple of months ago Google announced that starting October 2017, Google Chrome will require transparent SSL certificate, in order to mark website as secure and it’s reasonable to expect that other browsers will follow soon.
In addition to that, starting with Google Chrome version 56 and onwards, all HTTP websites which ask for login details or payment details are labeled as “Non-secure”, faith which eventually all HTTP websites will meet. Since roughly 30% of the UK browser market runs on Chrome, this could potentially have a big impact.
What does this all mean and why does Google change the rules all of sudden? I asked industry expert, Tim Dunton from Nimbus Hosting what impact this will have on the domain names market:
“It’s about time that someone cleans up all the SSLs on the market place with something easier and cleaner for consumers to understand. I’m hoping some of the changes will go further to handle some of the more basic SSLs on the market that are easy to get issued. This would be easier for consumers to differentiate between domain validated and organisation validated SSLs.”
There are multiple levels of SSL validation, which should naturally inspire different levels of users trust. As GlobalSign explains, domain validated SSL certificates only check the right of applicant to use a specific domain name. In addition to that, organization validated SSL certificates vett the organisation as well.
Extended validation (EV) SSL certificates according to Global Sign require the Certificate Authority checks the right of the applicant to use a specific domain name as well as to conduct a thorough vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines.
Fake Google, NSA and Edward Snowden
Current (non-transparent) system of issuing SSL certificates has one big flaw: there are hundreds of certification authorities (CA) around the world which can grant applicant a certificate for one of their domains, even if you had already bought one from another CA. There is no “higher control”, no way to communicate between the CAs in real time, to compare their records.
As a result, it became possible to hack CAs and make them issue “valid” SSL certificates for domains hackers didn’t own at all – and the legitimate wouldn’t have a way to find out until it’s too late. However, hackers are not the only culprits. Google has found out that Symantec has mistakenly issued an SSL certificate for google.com … to someone else.
There were also multiple cases when a government body was responsible for compromising trusted certificates in what is known as man-in-the-middle-attacks. Examples include NSA, French, Iranian and Indian government agencies.
Public logs, monitors and auditors
The main idea behind Certificate transparency is one of those beautifully simple concepts, which makes you wonder how come we haven’t been doing it like this sooner: let’s keep a public log server, where everyone (although mostly the certification authorities, naturally), will be able to record every issued certificate.
Entries in the certification log are open, so that everyone can search in them and see whether certain certificate is legit and belongs to who they say it belongs. Go ahead and lookup certificates issued for your (or any) domain on Google’s Certificate Transparency Lookup tool.
Here is Moz’s for example:
Keeping “cyber diaries” is surely a big step in transparency, but they wouldn’t be that efficient if no one was controlling and consulting them regularly. That’s where the public monitors come in.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities. (source: https://www.certificate-transparency.org/what-is-ct)
The third component of the whole transparent SSL framework are auditors – lightweight software components that can verify that logs are behaving correctly and that a particular certificate appears in a log. If a certificate has not been registered in a log, it’s a sign that the certificate is suspect, and TLS clients may refuse to connect to sites that have suspect certificates. Example of an auditor are some integral parts of Google Chrome.
Does it have any impact on SEO?
Google hasn’t announced any changes to the way their search engine algorithm gauges secure websites in order to receive rankings boost, however we can certainly expect a shift towards stricter evaluation of what “secure” means for Google in future.
All of the changes around the transparency and security promoted by Google make the case of switching to HTTPS more pronounced than ever.
So what do we need to do?
- Get a transparent SSL certificate – preferably with extended validation
- Make sure to switch on HTTPS version by default
- Redirect all you non secure content to secure urls
- Update your canonical tags to HTTPS urls
- Create a Google Search Console account for your HTTPS domain
- HTTPS is much faster over HTTP/2 – consider switching to HTTP/2
- Update your structured data markup to include HTTPS variations of your url
- Update your internal links so that they are all pointing to the secure urls
Or you can consult these helpful step-by-step guides for migration to HTTPs:
By Pete Reis-Campbell - 11/05/2017