Trust on the internet is derived from Certificate Authorities that issue digital certificates to verify that users are actually visiting legitimate sites. Over the years, Google and other browsers have removed authorities that fail to be up to par, with Chrome now pushing a new Certificate Transparency Policy that comes into effect today.
Chromium’s Certificate Transparency Log Policy (via Bleeping Computer) asks Certificate Authorities to maintain publicly available logs of all SSL certificates they issue. In making these logs widely available, Chrome and other security researches can verify that CAs are following best practicies.
In the past, these records were maintained and kept private, with CAs only providing them to parties investigating possible vulnerabilities. All certificates issued after April 31st must follow the new logging policy, with previous ones grandfathered in.
This change comes as recent years have seen Chrome no longer trust several Certificate Authorities due to poor practices. The most recent loss of trust involved is Symantec in Chrome 66. As Bleeping Computer notes, this policy was first announced in 2016 and meant to go live in October 2017. However, Google pushed back the date to allow other parties to follow along.
Noncompliance will result in users seeing a full-page warning in Chrome that notes their current connection is not CT-compliant. Rolling out first on macOS, Windows, Linux, and Chrome OS, this change will eventually be applied to all Chrome platforms, including Android and iOS.
This policy comes as part of Google’s broader enforcement of HTTPS on the web. Examples include today’s launch of the .app domain where HTTPS is default and in Chrome where Google has worked to mark more and more HTTP instances as “Not secure.”