Security – Is is possible to disable Certificate Transparency (audit log checking) of certificates in Chrome

certificate-authoritygoogle-chromeSecurityssl-certificate

We utilize HTTPS deep packet inspection in our firewall via a trusted root certificate in the Windows certificate store. Chrome recently pushed forward with a feature to perform additional checks on certificate issuance called Certificate Transparency, where each certificate used (that was issued after a certain date) is checked against a known good list of CAs.

The use of HTTPS deep packet inspection (aka HTTPS proxying/offloading/MiTM) now causes Chrome to error as per this example.

Is it possible to disable the sole feature of audit log checking in Chrome?

Update in response to womble's answer.

This update is wrong. Womble's answer is correct, see below.

This is what I originally thought, but it clearly isn't.

Here are screenshots of overly righteous Chrome:

No MiTM:

no mitm

MiTM:

mitm

It does appear that it is directly related to cert transparency/audit log checking and not the use of SHA-1 and upcoming depreciation in nanny Chrome. Worth noting that our internal CA cert does expire after 2017.

Update 2, womble is right:

Thanks to womble's answer, I re-reviewed the notice from the Chrome team, and noticed any site with a cert with an expiration 2017+ that uses SHA-1 will get the "affirmatively insecure" warning (the crossed out red lock icon).

To prove my MiTM/proxy the culprit, I used a salesforce test site (located via ducking a KB article)

No MiTM:

enter image description here

MiTM:

enter image description here

 *note that even with no MiTM Chrome detects this site as "secure, but with minor errors" (that yellow icon) because the cert expires within the 2016 calendar year, not 2017+.

My proxy/MiTM is downgrading the algo from SHA-256 to SHA-1. Tsk Tsk!
Chrome is acting exactly as intended according to the notice, and I do not believe my user's will receive "affirmatively insecure" notifications once I resolve this issue with the MiTM/proxy.

Thanks!

Update 3:
Remember to check firmware updates/release notes… SHA-256 now supported. Update slated Friday. Should be a-okay.

Best Answer

Assuming that the example you're pointing to is actually the one about "The site is using outdated security settings", and not "does not have public audit records", about 99.99% sure that your problem isn't CT, for several reasons:

  • It is my understanding that only CA certificates in the system trust store are subject to CT validation; locally-managed CA certificates don't require CT treatment (for pretty much exactly the reason you've got).
  • Failing CT validation only matters for EV certificates at the present time, and the only negative impact is that the certificate loses the EV "green bar" treatment.

The error about "using outdated security settings" actually means that your MitM proxy is issuing SHA-1-based certificates with expiry dates in the far future, which probably isn't such a winning idea.

Related Topic