Which SSL Reviews

SSL Certificate

Google builds list of untrusted digital certificate suppliers

April 5, 2016 | By Editor 

Untrusted Certificate Authorities on Google Hit List

Not all SSL certificates are same. Certificates have been issued without proper verification and this has duped users into thinking that the website that they have visited is genuine.

When a company needs a SSL certificate it approaches a Certificate Authority (CA). The CA validates the domain and company to determine its authenticity and only then issues an SSL certificate. Browsers trust these certificates and based on this factor users believe that the website that they are visiting is genuine. Cyber criminals somehow seem to have obtained certificates even from reputed CAs.

Mis-issued SSL Certificates

Recently, Symantec had mis-issued Extended Validation (EV) pre-certificates for google.com and www.google.com domains. Google has stated that these cryptographic certificates had been issued without its request or authorization. This vulnerability would have enabled cyber criminals to impersonate Google’s https protected pages.

Google had developed a new tool called Certificate Transparency (CT) in its endeavor to support SSL certificates. It was only when it was expanding the capabilities of the tool that its engineers discovered the mis-issued certificates.

New Certificate Transparency (CT) log

Google tracks deployed certificates to find out if they are trusted or not. Now it has deployed a new Certificate Transparency (CT) log for root certificates. This would cover both certificates that were previously trusted by browsers, as well as certificates that are not yet trusted.

CT provides a record of the certificates that have been issued for specific domains. This provides information to webmasters about the specific certificates that have been issued for specific domains. This endeavor would help protect users from mis-issued certificates.

Previously, Google’s CT logs contained browser-trusted CAs. In the new logs Google has added new CAs that are in the process of being added in browser trusted roots, and CAs that had been trusted previously, but had been withdrawn later. Adding these earlier had been difficult as there was the possibility of malicious cross-signing attacks. Presently, Google’s Chrome browser would not trust this list. Furthermore, this list will publicly list the certificates that Google will not accept.

Google’s new log is at ct.googleapis.com/submariner. Symantec has discontinued certain root certificates and these will be removed from Google’s trusted roots after browsers stop trusting them. The updated list will list out the certificates that are not trusted or are yet to be trusted by browsers.

Google has invited third parties to suggest additional roots for adding to the list. Suggestions are to be sent to google-ct-logs@googlegroups.com.

The public are also invited to query the list for data, as well as submit certificates.

This is an attempt by Google to enhance web security, and this endeavour has received mixed reviews. Dodgy certificates could still exist, and users could be cautious and access websites that have received SSL certification only from reputed CAs like Comodo, Symantec and other companies.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL Certificate

Be Sociable, Share!

Leave a Comment


* fields are mandatory