The search giant is looking to comply with the Baseline Requirements from the Certificate Authority/Browser Forum, which lays out a list of best practices for implementing digital certificates.
“As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance,” the company posted in the CA/B Forum.
Most notably, those checks will revolve around the validity-capping, which will begin a process of standard refresh periods for CAs.
“By reducing the window of trust established, Google has acknowledged that certificates are first and foremost security instruments that are now under attack,” said Jeff Hudson, CEO of Venafi, in an emailed comment to Infosecurity. "As a result, industry standards are being suggested to renew the certificates more frequently to better protect against the quickly evolving threat landscape.”
That will be the policy starting in early 2014, when the Chromium repository will begin to reject as invalid any and all certificates that have been issued after the Baseline Requirements effective date of July 1, 2012, and which have a validity period exceeding the specified maximum of 60 months. The changes will then appear in Dev and Beta releases, with changes made in a Chrome Stable release within the first quarter of next year.
Google explained:
“Our view is that such certificates are non-compliant with the Baseline Requirements. Chrome and Chromium will no longer be considering such certificates as valid.
We also believe that such practice is inconsistent with the audit criteria based upon the Baseline Requirements. For example, the WebTrust Principles and Criteria for Certification Authorities 2.0, Section 6.3, provides illustrative control #7 - that ‘The CA or the RA verifies that the Certificate Rekey Request meets the requirements defined in the relevant CP,’ and illustrative Control #14, ‘Prior to the generation and issuance of rekeyed certificates, the CA or RA verifies the following: ... that the request meets the requirements defined in the CP."
Certificate attacks can be costly for browser providers, because it falls on them to revoke trust for compromised certificates and interfacing with the public. For instance, in January, Google, Mozilla and Microsoft all had to block phony Google digital certificates accidentally issued by a Turkish certificate authority (CA) known as TURKTRUST.
An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could use the certificate to impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but they actually contain malicious content or software.
But the five-year cap is just the beginning of better security practices for this arena. “The truth is that this is only a first step in the establishing a more secure internet,” Hudson said.
He added, “As recent threat trends have proven, certificate and cryptographic key-based attacks are on the rise. “The lack of visibility and control over the hundreds and thousands of keys and certificates that exist in enterprise networks has provided ample attack-surface real estate for cybercriminals. As a recent Forrester report states, improperly secured certificates have created a trust gap that wouldn’t be tolerated in any other area of IT security today and have enterprises scrambling to recover from business operation interruptions and breaches.”
The US National Institute of Standards and Technology (NIST) recently published a bulletin for organizations on how to prepare for and respond to certificate authority (CA) compromises that result in fraudulent certificates.
Citing the high-profile CA breaches in recent years, such as compromises at Comodo, DigiNotar, and others, NIST stressed the need for organizations to have a plan for CA compromises.
“Responding to a CA compromise may require replacing all user or device certificates or trust anchors. If an organization is not prepared with an inventory of certificate locations and owners, the organization will not be able to respond in a timely manner and may experience significant interruption in its operations for an extended period of time,” the NIST bulletin warned.