If the certificate isn't registered with a public certificate log, users will see a page explaining that the site isn't compliant with the Chromium CT Policy.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Business websites must register their SSL certificate with a public certificate log to stay compliant with certificate transparency in Chrome.
- If not registered, the website will display a full-page warning to users when they visit it on the Chrome browser.
It's officially May, which means that if your company website's SSL certificate isn't registered in a public Certificate Transparency (CT) log, your users will be facing a roadblock. In an effort to enforce CT in Chrome, the browser will soon serve full-page warnings to any visitor of an HTTPS website without a logged certificate.
Google's Devon O'Brien originally noted the changes in a February Google Groups post. In the post, O'Brien wrote that "all TLS server certificates issued after 30 April, 2018 [must] be compliant with the Chromium CT Policy."
O'Brien also noted in the post that "sub-resources served over https connections that are not CT-compliant will fail to load and will show an error in Chrome DevTools."
SEE: Information security policy (Tech Pro Research)
The burden for this change falls on the Certificate Authorities (CAs). However, as noted by Bleeping Computer, many CAs got wind of the impending change and began logging the certificates before it was required. It's also good to know that the policy is not retroactive, so most older certificates should be good.
There are three methods for becoming compliant, which can be found here.
However, the original post noted, there are exceptions being made for certain business users."In order to accommodate the unique needs of certain enterprises, there will be Chrome policies to disable CT enforcement on managed devices and for managed users that have signed-in to Chrome on their personal devices," the post said. "In addition to the existing ability to disable CT enforcement by URL, Chrome will add a policy that allows organizations to disable CT enforcement for CAs that only issue certificates to that organization."
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Google reveals Chrome's new look: Here's what you'll see in Material Design refresh (ZDNet)
- Chromebooks: A cheat sheet (TechRepublic)
- Chrome 66 rolls out: Autoplay video silenced by default plus 62 bugs fixed (ZDNet)
- Google ups cloud security in Chrome Enterprise with new endpoint tools (TechRepublic)