Google Shoring Up SSL Certificates After Comodo Attack

Google April 1 took steps to protect SSL certificates for the public key infrastructure in the wake of the Comodo Security attacks.

Google is working on two security projects to improve the public key infrastructure, which was rocked by the Comodo digital certificate spoofing incident late last month.

A lone hacker infiltrated Comodo Security's root authority system, logging in and issuing digital certificates to Websites owned by Microsoft, Google, Yahoo, Skype and Mozilla.

The attacker obtained the user name and password of a Comodo trusted partner in Southern Europe who was authorized to perform primary validation of certificate requests. The certificates were revoked immediately and Comodo has not noticed any attempts to use the certificates.

Google, which upgraded its Chrome Web browser with two reissued and blacklisted SSL (Secure Sockets Layer) certificates to protect against the Comodo attack, launched the Google Certificate Catalog and the DNS-based Authentication of Named Entities (DANE) Working Group at the Internet Engineering Task Force (IETF) April 1.

The Google Certificate Catalog is a database of all of the SSL certificates Google's Web crawlers record in the DNS for the company's search engine and Web services.

In order for the SHA-1 hash of a certificate to appear in Google's database, it must be correctly signed and have the domain name that matches the one used to retrieve the certificate.

If a certificate doesn't appear in Google's database, then there may be something suspicious about that certificate, even if it is correctly signed and has a matching domain name.

Google said it will offer its Certificates Catalog database freely for anyone to use.

Google's second SSL-securing project, the DANE Working Group at the IETF, is intended to allow domain operators to publish information about SSL certificates used on their hosts.

"It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts," said Google security team member Ben Laurie. "If a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion."

Laurie noted that while the Google Certificate Catalog and DANE project rely on the relatively insecure DNA, the company is working on DNSSEC, which encrypts DNS records to shield them from the type of forgery and modification Comodo attack employed. DANE requires every domain to be able to use DNSSEC.

Google is also figuring out how to use DNSSEC for the Certificate Catalog before the DNSSEC infrastructure is ready.