Compliance Management, Network Security, Privacy, Security Strategy, Plan, Budget

Google creates list of untrusted certificate authorities


Google has stepped up its fight against rogue digital certificate suppliers with the publication of a list of certificate authorities (CAs) not trusted by browsers.

The logging system, dubbed Certificate Transparency or Submariner, was announced by the firm in a blog post. It said the log has a number of different uses, including protecting users from mis-issued certificates and providing webmasters and other interested parties with a public record of what certificates have been issued for domains.

The system brings together CAs that were trusted at one point but have been withdrawn from root programs as well as CAs that are working towards being trusted.

“Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties,” said Martin Smith, a Software Engineer with Google's Certificate Transparency team

It said that the list can be used as a public record of certificates that are not accepted by the existing Google-operated logs.

Google added that the visibility of these CAs' activities is still useful, and has created a new CT log for these certificates. “This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs,” said Smith.

The list will initially include certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to the firm that are pending inclusion in Mozilla.

“Once Symantec's affected certificates are no longer trusted by browsers, we will be withdrawing them from the trusted roots accepted by our existing logs (Aviator, Pilot, and Rocketeer),” said Smith.

Google said that third parties are invited to suggest additional roots for potential inclusion in the new log. “Everyone is welcome to make use of the log to submit certificates and query data. We hope it will prove useful and help to improve web security,” added Smith.

Justin Harvey, CSO at Fidelis Cybersecurity, told that it is possible that this would help in changing people's behaviour if they are used to clicking through warnings.

“But as we've seen in the past, the cyber-security unaware public have a habit of clicking on things they shouldn't. Chrome does a good job of warning users about the risks of doing something dangerous,” he said.

“Prior to this update, Chrome has never had a black list of certificates, just a white list.  Now Google can flag and stop users from accessing dangerous sites that use specific SSL certs,” he added.

Brian Spector, CEO at MIRACL, told SC that it is great to see Google making such efforts to protect users.

“But despite their best intentions, this latest initiative is basically an attempt to patch a problem that can't be patched. The problem is architectural – it's based on outdated public key infrastructure that creates a single point of compromise on the internet. The best thing to do is start over with a new system which distributes trust across multiple points.  If we do nothing, fake certificates will destroy the trust architecture on the Internet, and once trust is gone, you can't get it back,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.