As part of Google's effort to improve certificate security, the company has introduced a the Google Certificate Transparency log viewer tool and also announced a specific log for untrusted certificate authorities. How do these additions work, and can they benefit enterprise security?
Secure communications over the internet rely heavily on digital certificates to provide authentication and encryption; they allow users to confirm that a server is in fact the server it claims to be and provides encrypted traffic. This prevents an attacker from impersonating a site, or eavesdropping on communications to and from the site. Therefore, it's critical that these certificates are valid and appropriately issued. However, over the past few years, trust and confidence in digital certificates and the certificate authorities (CAs) that issue them have taken a serious knock. The misissuance of certificates by CAs has enabled hackers to abuse fraudulent certificates and launch a wide range of attacks such as a website spoofing, server impersonation and man-in-the-middle attacks.
Google, as well as other organizations such as Venafi TrustNet, have launched various initiatives to safeguard the certificate issuance process and help detect and counter fraudulent and stolen certificates. The Google Certificate Transparency project provides an open framework for monitoring and auditing HTTPS certificates. Certificate Transparency (CT) is an experimental protocol put forward by Google for publicly logging every certificate that's issued by compliant CAs, the long term goal being that browsers will refuse to honor certificates that do not appear in a public CT log.
Google's Certificate Transparency log viewer makes it simple to find and view all of the digital certificates issued for a given hostname recorded in public CT logs. The web-based app enables domain administrators to easily check whether a certificate for any of their domains and subdomains has been incorrectly issued. Users can also check and see who has issued a certificate for a particular website. Google has also introduced a new CT log for root certificates that were once, or are not yet, trusted by browsers. According to Google, keeping such records has been difficult, and this log will make its records more complete.
By making the issuance and existence of SSL certificates open to scrutiny by everyone, it will be a lot harder for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. In 2014, CT logs enabled Google to discover the issuance of Extended Validation precertificates for its domains google.com and www.google.com by Symantec's Thawte-branded CA, neither of which had been requested nor authorized by Google.
Certificate Transparency does of course require certificate authorities to publicly declare certificates they have generated legitimately in a CT log. Some CAs have already committed to CT, including GlobalSign and DigiCert, and so far there are over 54 million entries in the set of CT logs that Google monitors. Domain admins should certainly run regular checks using the CT log viewer to ensure no certificates for their domains have been mistakenly or maliciously issued. The early detection of misissued or malicious certificates will prevent their misuse by cybercriminals looking to impersonate well-known and popular sites.
Learn about the security risks around certificate authorities
Find out about fake digital certificates issued for Google domains
Read about the three main SSL security issues
Dig Deeper on VPN security
Related Q&A from Michael Cobb
Cyberespionage hackers have used stolen digital certificates to steal data. Expert Michael Cobb explains how hackers sign Plead malware to conduct ... Continue Reading
BEC attacks cost over $676 million in 2017, according to the FBI's Internet Crime Report. Learn how to recognize possible BEC attacks from expert ... Continue Reading
Spectre exploits how processors manage performance-enhancing features. Expert Michael Cobb explains Google Chrome's initiative to use site isolation ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.