Working together to detect maliciously or mistakenly issued certificates.

An ecosystem that makes the issuance of website certificates transparent and verifiable.

To the participants of the Certificate Transparency (CT) ecosystem, who give their time, expertise, and resources to help keep the web secure.

Thank you.

Certificates, encryption, and secure communication

Certificate Transparency (CT) sits within a wider ecosystem, Web Public Key Infrastructure. Web PKI includes everything needed to issue and verify certificates used for TLS on the web. Certificates bind a public cryptographic key to a domain name, similar to how a passport brings together a person's photo and name.

Certificate Authorities (CAs) play an important role

Certificates are issued by CAs. Web PKI requires user agents and domain owners to trust that CAs are tying domains to the right domain owners. A user agent is something that acts on behalf of a user, usually a browser.

What if a CA can’t be trusted?

A CA that has been hacked or sloppy can issue certificates for any website. The communication would still be technically encrypted, but there could be an attacker at the other end who could intercept the private data.

Who watches the watchers?

Historically, user agents determined if CAs were trustworthy through audits by credentialled third parties. But these tended to look at operational practices and historical performance rather than technical correctness. Such audits can’t catch everything. Before CT, there could be a significant time lag between a certificate being wrongly issued, and a CA doing something about it.

That's where
Certificate Transparency
comes in.

Independent, reliable logs

CT depends on independent, reliable logs because it is a distributed ecosystem. Built using Merkle trees, logs are publicly verifiable, append-only, and tamper-proof.

Since 2013 2,563,437,540 certificates have been logged

Logs are publicly available and monitored

Thanks to CT, domain owners, browsers, academics, and other interested people can analyse and monitor logs. They’re able to see which CAs have issued which certificates, when, and for which domains.

Protect the web by running a CT log

To help keep the web safe, CT needs numerous robust logs, run by different organizations, in different jurisdictions.

CT may have been started by engineers at Google, but it works because independent organizations set up and run monitors and logs. For the internet, and of the internet.

Find out more about how
Certificate Transparency works.

Or get started by going to the GitHub page
or joining the Google Group.