Google tightening SSL security in Chrome

Summary:Always a leader in advancing SSL security, Google will be flagging certificates that don't meet the Baseline Requirements of the CA/Browser Forum, and adding requirements for Certificate Transparency.

In a post to the CA/Browser Forum Public Discussion List, Google has set out plans to enforce high standards for security of SSL/TLS certificates in Chrome and products built on it.

The two major themes of the changes are:

The Baseline Requirements were issued to facilitate stronger encryption in the Public Key Infrastructure. Certificate Authorities have paid lip service to them but, as Netcraft recently showed, there are still many certificates out on the Internet, including many issued by prominent CAs, that have serious flaws that cause them to fail the Baseline Requirements, including:

  • RSA public key length less than the minimum of 2048 bits (for certificates that expire after December 31, 2013)
  • A lack addresses for either a CRL (Certificate Revocation List) or an OCSP (Online Certificate Status Protocol) server, or a stapled OCSP response, making the certificate irrevocable. In fact, OCSP is the standard that matters and is required; CRL support is being removed from Firefox and was never present in Chrome.

As an example, a recently-issued certificate for Avon in France, issued by Equifax, has no OCSP server specified. Netcraft also identified non-compliant certificates issued by Symantec, Verizon Business, SwissSign and GoDaddy. CAs should be capable of testing compliance with the baseline requirements as an automated check before issuance, so there's not much of an excuse for these lapses.

As a percentage of total certificates there are very few which are non-compliant, but the number is still in the thousands. Netcraft's surveys show that nearly all of these non-compliant certificates were issued by GoDaddy and Comodo.

Google will also begin to require, after a date yet to be determined, that all Extended Validation (EV) certificates support their Certificate Transparency. Eventually, the requirement will be extended to all certificates.

CT adds 3 components to the PKI:

  • Certificate logs
  • Certificate monitors
  • Certificate auditors

The effect of these systems should be faster detection of bogus certificates and more effective blocking of them.

Topics: Security, Google

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.