Google Shoring Up SSL Certificates After Comodo Attack
Google April 1 took steps to protect SSL certificates for the public key infrastructure in the wake of the Comodo Security attacks.Google is working on two security projects to improve the public key infrastructure, which was rocked by the Comodo digital certificate spoofing incident late last month. A lone hacker infiltrated Comodo Security's root authority system, logging in and issuing digital certificates to Websites owned by Microsoft, Google, Yahoo, Skype and Mozilla.
The attacker obtained the user name and password of a Comodo trusted partner in Southern Europe who was authorized to perform primary validation of certificate requests. The certificates were revoked immediately and Comodo has not noticed any attempts to use the certificates.
Google said it will offer its Certificates Catalog database freely for anyone to use. Google's second SSL-securing project, the DANE Working Group at the IETF, is intended to allow domain operators to publish information about SSL certificates used on their hosts. "It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts," said Google security team member Ben Laurie. "If a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion." Laurie noted that while the Google Certificate Catalog and DANE project rely on the relatively insecure DNA, the company is working on DNSSEC, which encrypts DNS records to shield them from the type of forgery and modification Comodo attack employed. DANE requires every domain to be able to use DNSSEC. Google is also figuring out how to use DNSSEC for the Certificate Catalog before the DNSSEC infrastructure is ready.