Our Story

Thank you to our amazing community

Certificate Transparency works thanks to the ecosystem of people and organizations who set up and run user agents, logs and monitors. Join us!

Join Google Group

Our origin story

Certificate Transparency was a response to the 2011 attack on DigiNotar and other Certificate Authorities. These attacks showed that the lack of transparency in the way CAs operated was a significant risk to the Web Public Key Infrastructure. It led to the creation of this ambitious project to improve security online by bringing accountability to the system that protects HTTPS.

July 2011

DigiNotar Hack

An unknown attacker compromises DigiNotar, a Dutch CA, and issues rogue certificates for numerous domains. Over 500 fake certificates are detected. These certificates were used for man-in-the-middle attacks on traffic from Iran.

February 2012

TrustWave issues root certificate to a customer

U.S. Certificate Authority TrustWave provided subordinate root certificates to a customer which could have been be used to create SSL certificates for nearly any domain on the Internet. CA missteps could lead to severe consequences.

September 2012

IETF works

The IETF accepts the Trans Working Group charter and begins work on the CT related RFCs.

March 2013

First CT Log

Google launches their CT logs pre-populated with the certificates discovered by their web crawler.

June 2013

IETF RFC

The IETF publishes Certificate Transparency as RFC 6962.

September 2013

First third party log

DigiCert launches the first non-Google CT log to support the growth of the CT ecosystem.

May 2015

Chrome EV

Chrome announces that all EV certificates issued after January 1, 2015 will be required to be CT logged.

How we grew

Although CT provides desirable security benefits, no single organization could convince the entire Internet to adopt and benefit from it at once. Similarly, user agents could not begin requiring all websites to support CT at once due to the risk of breaking large numbers of websites. So the members of the CT ecosystem worked together to define the standards and to incrementally deploy and later enforce CT.

September 2015

crt.sh

crt.sh, a website offering a friendly environment to query Certificate Transparency logs is launched.

December 2016

Facebook CT monitor

Facebook announces their Certificate Transparency Monitoring Tool that allows website owners to monitor issues of certificates for domains they own.

March 2017

Comodo CT log

COMODO, a UK based CA, announces its contribution of a CT log to support the CT ecosystem.

March 2018

CloudFlare Merkle Town

CloudFlare launches their Nimbus CT log and Merkle Town, a site making it easy to monitor the CT ecosystems growth.

April 2018

Microsoft AD

Microsoft announces support for Certificate Transparency in Active Directory Certificate Services.

May 2019

Let's Encrypt CT monitor

Let’s Encrypt launch Oak, a free and open Certificate Transparency Log.

August 2019

CloudFlare CT monitor

CloudFlare launches a CT Log monitoring service to help customers detect mississued certificates for their domains.

December 2019

DigiCert CT monitor

DigiCert launches a CT Log monitoring service to help customers detect mississued certificates for their domains.

Our Successes

The Certificate Transparency ecosystem has effectively monitored and fixed certificate anomalies since 2013. The CT ecosystem works as designed and provides meaningful protection to users.

Products are being launched that help website administrators use CT to protect their brands and their users, as well as being able to detect and respond accordingly when the CT ecosystem itself is not working as intended. This work is performed by a community and continues today, making the internet safer for everyone.

April 2016

Facebook polices certificates internally

Facebook announces that CT helped it detect an internal policy violation and advocates for CT being required not only for EV certificates, but for all certificates issued by CAs.

May 2016

Izenpe reuses production keys

It is discovered that Izenpe, a Spanish CA and log operator reused their production CT log signing key for test/development purposes, and had inadvertently produced a split view of their log. As a result they are ultimately disqualified as a log operator.

July 2017

WoSign backdates certificates

CT shows that Chinese CA WoSign/Startcom has backdated certificates, and would later be distrusted.

September 2017

Symantec misissuance detected

CT shows that US CA Symantec has misissued thousands of certificates. Ultimately all major platforms will distrust Symantec.

May 2018

Chrome enforces CT for new TLS certificates

In version 68, Chrome began enforcing that all TLS server certificates issued after April 30, 2018 comply with the Chromium CT Policy in order to be trusted. Main page connections served over a non-compliant connection began to display a full page warning, and sub-resources served over a non-compliant connection stopped loading.

October 2018

Apple enforces CT

All TLS certificates issued after October 15, 2018 must meet Apple’s Certificate Transparency (CT) policy in order to be trusted on Apple platforms.

May 2019

Certinomis misissuance

French CA is found to have misissued numerous certificates and is distrusted.