Google has taken steps to improve transparency around potentially untrustworthy certificates, by announcing an extension to its Certificate Transparency initiative.
The web giant revealed that it would be creating a new log specifically for CAs that were once trusted and have since been withdrawn from the root programs, and for new CAs “that are on the path to inclusion in browser trusted roots.”
It said that this additional data should help protect users from mis-issued certificates and provide any interested stakeholders with a public record of which certs have been issued for which domains.
Google is inviting third parties to suggest additional roots for inclusion in the new log, dubbed “Submariner," by emailing firstname.lastname@example.org.
“This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs,” Google software engineer, Martin Smith, said in a blog post.
“The new log is accessible at ct.googleapis.com/submariner and is listed on our Known Logs page. It has the same API as the existing logs.”
First up for inclusion in Submariner will be the certificates “chaining up to the set of root certificates that Symantec recently announced it had discontinued,” as well as some roots pending inclusion in Mozilla.
The move was welcomed by industry experts.
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that it’s a significant step by Google, given that cyber-criminals are increasingly abusing the blind trust put in certificates by organizations, “so they can appear trusted and monitor and impersonate their targets to execute attacks and steal data.”
“As we move to an increasingly connected IoT world, with new agile development methods, the number of certificates being issued is exploding,” he added. “This is making the challenge of knowing what can and can’t be trusted even more obscure and hackers are waiting to profit from the chaos. Certificate reputation is therefore increasingly important, for businesses and consumers alike.”
Brian Spector, CEO at MIRACL, argued that while the move was welcome, it’s an attempt to fix a problem that can’t be fixed.
“The problem is architectural – it’s based on outdated public key infrastructure that creates a single point of compromise on the internet,” he said. “The best thing to do is start over with a new system which distributes trust across multiple points. If we do nothing, fake certificates will destroy the trust architecture on the internet, and once trust is gone, you can't get it back.”