Google tightening SSL security in Chrome

Google tightening SSL security in Chrome

Summary: Always a leader in advancing SSL security, Google will be flagging certificates that don't meet the Baseline Requirements of the CA/Browser Forum, and adding requirements for Certificate Transparency.

TOPICS: Security, Google

In a post to the CA/Browser Forum Public Discussion List, Google has set out plans to enforce high standards for security of SSL/TLS certificates in Chrome and products built on it.

The two major themes of the changes are:

The Baseline Requirements were issued to facilitate stronger encryption in the Public Key Infrastructure. Certificate Authorities have paid lip service to them but, as Netcraft recently showed, there are still many certificates out on the Internet, including many issued by prominent CAs, that have serious flaws that cause them to fail the Baseline Requirements, including:

  • RSA public key length less than the minimum of 2048 bits (for certificates that expire after December 31, 2013)
  • A lack addresses for either a CRL (Certificate Revocation List) or an OCSP (Online Certificate Status Protocol) server, or a stapled OCSP response, making the certificate irrevocable. In fact, OCSP is the standard that matters and is required; CRL support is being removed from Firefox and was never present in Chrome.

As an example, a recently-issued certificate for Avon in France, issued by Equifax, has no OCSP server specified. Netcraft also identified non-compliant certificates issued by Symantec, Verizon Business, SwissSign and GoDaddy. CAs should be capable of testing compliance with the baseline requirements as an automated check before issuance, so there's not much of an excuse for these lapses.

As a percentage of total certificates there are very few which are non-compliant, but the number is still in the thousands. Netcraft's surveys show that nearly all of these non-compliant certificates were issued by GoDaddy and Comodo.

Google will also begin to require, after a date yet to be determined, that all Extended Validation (EV) certificates support their Certificate Transparency. Eventually, the requirement will be extended to all certificates.

CT adds 3 components to the PKI:

  • Certificate logs
  • Certificate monitors
  • Certificate auditors

The effect of these systems should be faster detection of bogus certificates and more effective blocking of them.

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Translate: More backdoors for NSA

    You cannot just admit it so you'd have to put some "high SSL security" lip stick on that NSA spying pig.
    • translate translate...

      what are you trying to say?
      • Re: translate translate... what are you trying to say?

        "Security" = blood
        "NSA" = vampire

        Or, the more blood you have, the more you attract the vampire.

        To me, phrases like "baby" and "bathwater" come to mind...
        • No comprendo ld107

          The idea of an SSL certificate is to encrypt traffic between the server and your system. This would mean more work on the NSA's behalf. Using stronger keys that are properly verified means even more work for NSA!

          so what your saying is "no security = no blood"?

          By turning off my firewall and using insecure connections, I can safely be free of NSA's bloodhounds?
  • sadly, this won't work

    Attempts like these were made long before Google became known name.

    Consumers will still want to access these sites and will either force Google to turn this off, or use something else than Chrome.
  • Like this....

    makes any difference with the NSA snooping around?
  • Chrome!

    Not only Chrome, buzz around the world, saying that old 1024-bit SSL certificates will no longer be supported by browsers in 2014. These requirements are intended to further strengthen the security and trust that comes with SSL certificates on the internet.

    Articles and will help to update your SSL certs.