Google Chrome users will soon encounter a full-page warning whenever visiting a website whose SSL certificate is not registered with a public certificate log.
For users, this means additional protection from websites whose SSL certificates may have been maliciously acquired, exposing them to server impersonation and other attacks. Whether by compromising a certificate authority or taking advantage of mistakenly issued certificates, hackers have in the past manipulated the system to spoof legitimate websites, launch man-in-the-middle attacks, and in some cases, install spyware on the devices of unsuspecting users.
SSL is the primary cryptographic standard by which HTTPS connections are secured, ensuring that data transmitted between web servers and users remains unmolested. An SSL certificate uses a public and private key to encrypt data; whenever you go to a website, an authentication server ensures the SSL certificate used by the site is properly signed by a trusted Certificate Authority, which maintains a copy of the public key. It also ensures the key is not expired or revoked.
Simply put, this system ensures that users can communicate with websites (and vice versa) over an encrypted link, protecting financial information, passwords, and other sensitive data from anyone who would try to intercept it.
Chrome’s new policy is known as “certificate transparency.” Boiled down, this means a certificate authority (CA) must maintain a public log that offers cryptographic proof that the certificates issued are authentic. If a website holds a certificate issued by a CA that has not been submitted to one of these public logs, then users will be warned.
The warning doesn’t specifically mean that data transmitted to and from the site will be intercepted, or even could be, it merely means there’s no public assurance, cryptographically speaking, that it won’t happen. Your full faith and trust is placed instead in the certificate authority itself, whom you hope hasn’t been in some way compromised.
We’ve asked Google to send us a screenshot of what this warning will actually look like. We’ll update if they respond.
Update, 1pm: An important tidbit I failed to mention is that the policy is not retroactive. As Bleeping Computer reported, “older certs issued before today that have not been recorded in a CT log will continue to work. But if a CA has issued a new SSL cert starting today and has not recorded it in a public CT log, Chrome will show an error.”
Correction: A previous version of this article stated that the warnings would begin to appear today. Google has informed Gizmodo that the warning pages displayed by Chrome will instead not be seen by users until Chrome 68 rolls out this July.