Digital certificates are a key component of the modern Internet security. Browsers use them to authenticate Websites and to encrypt communications between client devices and Web servers for everything from high-value banking transactions to email.
The certificates are supposed to assure users that Websites are bonafide and safe to visit rather than malicious sites created to distribute malware to the unwary.
However, cyber-criminals can use a compromised certificate, or one that has been wrongly issued, to impersonate a legitimate site, giving it the ability to hijack traffic or to carry out other devastating cyber-attacks.
This is why Google has been among the most vocal proponents in the industry for tighter standards and controls for issuing digital certificates, revoking them and for managing them over their entire lifecycle.
The company’s Certificate Transparency project aims to address certificate-related threats by enabling greater scrutiny of the certificate issuance and maintenance process by web domain owners, domain users and certificate authorities.
The company this week took another step towards improved certificate security with a new Certificate Transparency log for a certain class of root certificates.
The log, dubbed Submariner, is designed to act as a public record of root certificates issued by certificate authorities (CAs) that were once trusted but now withdrawn from root programs. It also includes roots issued by CA’s that are not yet trusted by browsers, Martin Smith, software engineer with Certificate Transparency, wrote in a blog post this week.
A CA is a trusted entity that issues digital certificates to verify or authenticate identity on the Internet.
Google’s initial Certificate Transparency logs included a list of all browser-trusted Certificate Authorities (CAs). But it did not include CA's that were no longer trusted to issue root certificates because of inconsistent certificate revocation processes, a history of certificate security breaches and other issues. Earlier transparency logs also did not have a provision for certificates issued by new CAs.
Google's new log released this week is designed to address this shortcoming.
"Visibility of these CAs' activities is still useful, so we have created a new CT log for these certificates," Smith said. "This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs."
Initially, Submariner will include a set of root certificates that Symantec had recently discontinued. It will also include a collection of certificates that are waiting to be included in Mozilla's list of trusted CAs. In addition, Google is inviting other third parties to suggest certificates for inclusion in its Submariner log.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, called the move a significant step by Google.
"Cryptographic keys and digital certificates are powerful and provide the foundations of online trust and cyber-security," he said in a statement. By design, web servers and applications implicitly trust these certificates for authentication purposes. If the certificates are not managed properly they can be misused by cyber-criminals to impersonate their targets and to execute attacks.
"As we move to an increasingly connected IoT world…the number of certificates being issued is exploding," Bocek said. The trend is making it more challenging to know which certificates to trust, he said. "Hackers are waiting to profit from the chaos," Bocek said.
"Certificate reputation is therefore increasingly important, for businesses and consumers alike."