Certificate Transparency and Public Key Pinning

Nov 11, 2014 | Jindřich Zechmeister

In today's article, I will introduce two relatively new and little-known concepts Certificate Transparency a Public Key Pinning, that are related to the secure use of SSL certificates. Both aim to reduce the risk of a fraudulent certificate being issued and used for your website.

Certificate Transparency (CT)

Certificate Transparency (CT) is a feature created by Google. In short, it involves publishing all certificates issued by an authority in some kind of "log," allowing verification that it was indeed issued by the respective authority.

Certificate Transparency (CT) has three main goals:

  1. Prevent (or make very difficult) a certification authority from issuing an SSL certificate for a domain without the owner's knowledge.
  2. Provide an open auditing and monitoring system that allows any domain owner to check whether any certification authority has issued a certificate for their domain (whether legitimate or fraudulent).
  3. Protect users (as much as possible) from harm caused by certificates that were issued incorrectly or for abusive purposes.

The principle of mutual control in CT

Before trusting a certificate, the browser will verify its status in the public log. If the certificate is not listed, its green EV bar will not appear in Google Chrome. The publicly accessible log itself will be monitored to watch for any suspicious certificates.

Google plans the first major use of this feature for February 2015 for the aforementioned EV certificates; later, they plan to expand Certificate Transparency to other certificates as well.

More information about Certificate Transparency can be found in Google's How Certificate Transparency Works article, or directly on the topic website certificate-transparency.org.

Public Key Pinning

Public key pinning addresses the greatest weakness of PKI and the current ecosystem, which is the fact that an authority can issue a certificate for any domain without the owner's consent.

With "pinning," a website owner can choose one or more authorities they trust and which can issue a certificate for their domain. This reduces the risk of domain misuse with a fake certificate from a less trustworthy authority that could be abused. Pinning thus serves as a defense against MITM (Man in the Middle) attacks and protection against certificate confirmation.

Currently, pinning is available in the Chrome browser (about 500 records), but an open standard for pinning using the HTTP protocol is also being developed. For instance, the Public Key Pinning Extension for HTTP protocol tells the browser what certificate should be associated with a specific domain. A slightly different approach to Public key pinning is the DANE protocol, which places signed information about certificates in DNS, thus combining the principles of SSL certificates and DNSSEC.

More technical details and examples of Key Pinning usage can be found, for example, in the technical article Certificate and Public Key Pinning.

In future articles, we will introduce other modern security concepts that you may not yet know.

Next article