[German]Google has released the Google Chrome 101.0.4951.54 update for Windows and Mac on the desktop in the Stable Channel as of May 2, 2022 (see Chrome 101.0.4951.54 fixes GPO bug). This build does fix the Group Policy issue (see comments on the post Chrome 101.0.4951.41 fixes 30 Vulnerabilities – but has a GPO bug). But version 101.0.4951.54 has a problem with some certificates. Users got an ERR_CERTIFICATE_TRANSPARENCY_REQUIRE visiting some web sites. In the meantime, however, this error should be fixed now.
Reports about certificate errors
German blog reader Constantin L. contacted my yesterday per email (thanks for pointing it out). On reddit.com a user reported this with the following post.
All of the sudden seeing Chrome error. ERR_CERTIFICATE_TRANSPARENCY_REQUIRE
We started running in to this on chrome Version 100.0.4896.127 (Official Build) (64-bit) but it persists with Version 101.0.4951.54 (Official Build) (64-bit). Also saw a tweet with a similar issue just come up. Is anyone else seeing this issue?
Here is the tweet mentioned, and more users confirming the error on Twitter.
Also in the Reddit thread, users confirm that they see certificate errors. Occurs for example on websites like bitbucker.com, pluralsight.com, etc. In the Google bug tracker, there is the entry Issue 1321874: SSL Transparency errors after Chrome updated to latest version from May 2, 2022, which addresses the certificate error. Another bug report can be found here.
Google withdraws policy
In this post, Chromium developers had already announced in early April 2022 that they would be disabling various Google CT logs (certificate logs) starting May 1, 2022. The document describes the implications of this disabling of certain logs. Meanwhile, issue 1321874 is on fixed. A project member of the Chromium team posted the following about it:
Thank you for bringing this to our attention, and my apologies for the erroneous warnings. We have temporarily reverted this policy change, and it should no longer be impacting users.
However, if you operate a site that was impacted, we encourage you to replace your certificates with newly-issued ones to prevent recurrence of this issue in the future.
I've posted additional details to Chromium's ct-policy@ mailing list here:
We will share additional information and next steps as soon as we're able to do so.
The mailing list states under "Temporary rollback of recent Google log retirements" that after the announced elimination of non-time-split logs, Google became aware of a number of certificates that no longer complied with Chrome's CT policy. This resulted in TLS errors for Chrome users when visiting websites that used these certificates.
To temporarily mitigate this issue, Chrome is switching the affected protocols to ReadOnly, effective immediately. The list of protocols and further details are described in the mailing list entry. The certificate errors should therefore no longer occur in the Chrome browser.
Cookies helps to fund this blog: Cookie settings