Certificate Transparency and Public Key Pinning

Mar 3, 2015 | Jindřich Zechmeister

I am going to talk about two relatively new and little known terms, Certificate Transparency and Public Key Pinning, which are related to the security of using SSL certificates. They both try to lower the risk of issue and use of a fraudulent certificate on your website.

Certificate Transparency (CT)

Certificate Transparency (CT) is a function created by Google. In short it means that all certificates are issued by an authority in a type of “log” so that it is possible to verify the certificates have been issued by the authority in question.

Certificate Transparency (CT) has three main aims:

1. Make it impossible (or a lot harder) for a certificate authority to issue an SSL certificate for a domain without the knowledge of the domain's owner.
2. Provide an open auditing and monitoring system, which enables any domain owner to check if a certificate authority has issued a certificate for their domain (no matter if a genuine or a fraudulent one).
3. To protect users (as much as possible) against damages caused by certificates which have been issued badly or with the aim to abuse.

The browser will verify the certificate's status in a public log before trusting it. If the certificate isn't listed, its green EV stripe won't show in Google Chrome. The publicly accessible log itself will be monitored and potentially suspicious certificates will be watched.

Google is planning the first bigger use of this function for February 2015 for the above mentioned EV certificates. Certificate Transparency is planned to be expanded by further certificates later.

You will find more information about Certificate Transparency in the Google article How Certificate Transparency Works, or on the topical website certificate-transparency.org.

Public Key Pinning

Public key pinning tries to solve the biggest weakness of the current ecosystem: the fact that an authority can issue a certificate for any domain without the domain's owner's permission.

With “pinning” the web owner can choose one or more authorities he trusts and which can issue a certificate for their domain. This way they limit the risk of the domain being abused by a fraudulent certificate from a less trustworthy authority which can then be abused. This way, Pinning serves as protection against MITM (Man in the Middle) attacks and as protection against faking a certificate.

For now, pinning is available in Chrome browser (around 500 entries) but also an open standard for pinning with the use of HTTP protocol is being created. For example, Public Key Pinning Extension for HTTP protocol informs the browser which certificate should be attached to a specific domain. A slightly different approach to Public key pinning is DANE protocol, which places the described information about certificates into DNS and this way it combines the principle of SSL certificates with DNSSEC.

You will find more technical details and examples of Key Pinning use for example in the technical article Certificate and Public Key Pinning.

Our next articles will introduce you to other modern security terms which might be new to you.

---