What is Certificate Transparency?

Certificate Transparency (CT) is a method for publicly logging, auditing, and monitoring the creation of new SSL/TLS (digital) certificates. Originally a concept from Google, CT is now an open standard under RFC 6962, albeit still an experimental one. Originally designed to enhance the veracity of Extended Validation (EV) certificates, many certificate authorities now voluntarily log all certificates, even Domain Validation (DV) ones. (Far more common, DV certificates verify only the domain name and therefore provide a lower level of trust than EV certificates, which verify the existence and location of the entity requesting the cert and that the entity controls the domain.)

Using cryptographic hashing, similar to cryptocurrency’s blockchain protocols, CT creates a ledger of all created or observed certificates. While the logs are not distributed, as with many blockchain protocols, they are made public, allowing anyone to query for the existence and validity of a certificate. Web browsers can query CT logs in real time to determine if the site they are connecting to has a certificate that exists in the log. Organisations can monitor logs to spot the creation of certificates that contain their domain or brand name. Finally, security researchers can use it to monitor for fraud and phishing sites.

The CT infrastructure is made up from three building blocks. Certificate log services, which log the creation of new certificates, and Merkle hash trees to provide cryptographic proofs. Certificate monitors are services which can query log services for specific logs or search for any containing specific names. Finally, the auditors. These are the clients, typically web browsers, that ask for and verify the signed proof that the certificate it is receiving exists in a CT log. Each represents a discrete service that is usually operated by different entities.