Certificate Transparency offers several benefits that competing technologies do not. These benefits are mainly aimed at certificate authorities, domain owners, and server operators, but they also affect individual users.
Google currently operates a Certificate Transparency log, and we are filling the log with certificates that we retrieve while crawling the web. The log’s base URL is https://ct.googleapis.com/pilot (note that you can’t browse this URL; it doesn’t serve web pages). We are also actively working on monitoring and auditing software, which you can find at https://code.google.com/p/certificate-transparency/.
Also, we are currently working on a version of Chrome that will check for Certificate Transparency SCTs, and we are making changes to our own services so they offer certificates with Certificate Transparency SCTs. Of course, any browser that adopts Certificate Transparency early on won't be able to block connections where no SCTs are offered, and in the early days of Certificate Transparency, almost no servers will offer SCTs. So at some point, Chrome will be updated to display warnings before establishing a secure connection without an SCT. As more CAs and browsers adopt Certificate Transparency, Chrome's default behavior will be modified again so it refuses to connect to any site that doesn't return a valid SCT with a certificate, though users may be able to change this. We hope that other browser vendors will follow a similar path.
The beauty of this system is that it does not need to be adopted by all browsers or users to work. Once an appreciable fraction of Internet users participate in Certificate Transparency, rogue CAs will be easy to detect and remove from all browsers' roots of trust. Certificate Transparency represents a kind of "herd immunity" for the whole Internet: once it's easy to spot cheating CAs, everyone benefits, even those who don't participate in the system.
What’s more, in a typical Certificate Transparency configuration, there is no impact on domain owners or server operators: the TLS handshake from the server side is unchanged. However, domain owners now have the ability to monitor their certificates to be sure no other certificates have been issued for their domains or servers.
Note: Some Certificate Transparency configurations require a server modification. See How Certificate Transparency Works for more information.
What makes this possible is the framework’s public auditing and public monitoring features--the “transparency” part of Certificate Transparency. By opening the SSL certificate system to near real-time scrutiny, mistakes and malicious behavior are difficult (if not impossible) to cover up or conceal. In short, the types of problems that required drastic mitigation measured in the past can now be quickly detected and mitigated through simple certificate revocation procedures.