Certificate Transparency

Certificate Transparency (CT) is an open framework of append-only logs, monitors, and auditors that records all publicly issued TLS certificates, enabling domain owners and the public to detect misissued or fraudulent certificates in near real time.

Definition

Certificate Transparency (CT) is an Internet Engineering Task Force (IETF) standard (RFC 6962, updated by RFC 9162) that creates a publicly auditable, append-only log of all TLS/SSL certificates issued by participating Certificate Authorities (CAs). Every certificate issued for a public domain must be submitted to one or more CT logs before browsers will trust it. The logs are cryptographically structured using Merkle trees, making it impossible to retroactively insert, delete, or modify log entries without detection.

CT was developed by Google engineers Ben Laurie and Adam Langley after the 2011 DigiNotar breach, in which attackers obtained fraudulent certificates for google.com, yahoo.com, and over 500 other domains—certificates that the existing CA system accepted as legitimate.

Why It Matters

Before Certificate Transparency, the only way to detect a fraudulently issued certificate was to encounter it in the wild—by which point it could have been used for months to intercept encrypted traffic via man-in-the-middle attacks. The DigiNotar breach demonstrated that a single compromised CA could undermine the trust model of the entire web. Symantec, one of the world’s largest CAs, was ultimately distrusted by Chrome in 2018 after issuing over 30,000 certificates that violated industry baseline requirements.

As of 2024, CT logs contain records of over 10 billion certificates. Google Chrome, Apple Safari, and all major browsers require CT compliance for new certificates—meaning any TLS certificate issued without CT log submission will trigger a browser warning. This transformed certificate issuance from a private transaction between a CA and a domain owner into a publicly observable, independently auditable event.

For domain owners, CT provides a monitoring channel: by watching CT logs for certificates issued to their domains, they can detect unauthorized certificates within minutes rather than months. Services like Facebook’s CT monitoring, Censys, and crt.sh make CT log data searchable and queryable.

How It Works

Certificate Transparency operates through three interlocking components:

CT Logs: Append-only, cryptographically verifiable logs operated by Google, Cloudflare, DigiCert, and other organizations. When a CA issues a certificate, it submits the pre-certificate to one or more logs. The log returns a Signed Certificate Timestamp (SCT)—a cryptographic promise that the certificate will be included in the log within a maximum merge delay (typically 24 hours).
Monitors: Services that watch CT logs for new entries. Domain owners use monitors to detect certificates issued for their domains that they did not request. Research organizations use monitors to study issuance patterns, CA behavior, and the overall health of the PKI ecosystem.
Auditors: Verification agents that check the cryptographic integrity of CT logs themselves, ensuring that logs are append-only and that no entries have been silently removed or modified. Auditors verify Merkle tree consistency proofs—confirming that the current log state includes all previously observed entries.

Browsers enforce CT by requiring that certificates presented during TLS handshakes include one or more valid SCTs, either embedded in the certificate, delivered via a TLS extension, or stapled in the OCSP response.

Stealth Cloud Relevance

Stealth Cloud operates across Cloudflare’s global edge network, which is itself one of the largest CT log operators. Every TLS certificate used by Stealth Cloud’s domains (stealthcloud.ai, api.stealthcloud.ai) is logged in public CT logs, meaning any misissued certificate for these domains would be detectable by any third party monitoring the logs.

This aligns with Stealth Cloud’s zero-trust principles: rather than asking users to trust that the domain’s TLS certificates are legitimate, CT ensures that the legitimacy of every certificate is publicly verifiable. Users and independent auditors can monitor CT logs for any unauthorized certificates issued for Stealth Cloud domains—a transparency mechanism that operates entirely outside Stealth Cloud’s control, which is precisely the point.

The Stealth Cloud Perspective

Certificate Transparency embodies a principle Stealth Cloud applies everywhere: verifiability should not depend on trusting the entity being verified. CT logs exist so that domain owners do not need to trust their CAs. Stealth Cloud exists so that users do not need to trust their cloud provider. The pattern is the same: make the proof public, and let the math enforce honesty.