Google builds list of untrusted digital certificate suppliers

Hoping to improve trust on the web, Google has a new tool to keep track of untrusted Certificate Authorities.
Written by Liam Tung, Contributing Writer
computer binary code

Google's digital certificate logging system uses cryptographic proofing.

Image: iStock

Google's has bolstered its toolset for keeping tabs on digital certificate suppliers that go rogue.

That toolset, a Google-designed digital certificate logging system known as Certificate Transparency (CT), can help protect Chrome users from the kind of mis-issued Secure Sockets Layer (SSL) certificates that Symantec generated last year for some Google domains.

The incident sparked an angry response from Google, which demanded that from June 1, 2016, Symantec log all certificates it issues in line with Google's Chromium CT policy or else websites that rely on its certificates will be flagged as dangerous by Chrome.

Though the certificates never escaped into the wild, anyone in possession of them could have used them to create a webpage that poses as an HTTPS-secured Google page and snoop on communications. This happened in 2011 when rogue certificates from a Dutch CA DigiNotar were used to target Google users in Iran.

As Google engineer Martin Smith noted on Tuesday, CT data can protect users from these certificates. The system uses a cryptographic proofing system to provide a public audit of certificates issued for domains.

Until now Google has had logs for CAs that are currently trusted by browsers, however it hasn't had a log for untrusted root CAs. These include CAs whose trust has been revoked from root programs, and new CAs in the process of being granted trust.

One instance of the first example were two Symantec-owned Verisign root certificates that Google withdrew trust for in Chrome and Android last December.

According to Smith, logs for these are problematic to be trusted for reasons including "uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties".

"This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs," he noted.

The log is accessible at "ct.googleapis.com/submariner" and is located on the CT's "Known Logs" page.

"Initially, Submariner includes certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to us that are pending inclusion in Mozilla," wrote Smith.

"Once Symantec's affected certificates are no longer trusted by browsers, we will be withdrawing them from the trusted roots accepted by our existing logs (Aviator, Pilot, and Rocketeer)."

As for Symantec's progress on meeting Google's June 1 deadline, the security firm announced last month it was supporting CT for "all SSL/TLS certificate types and customer channels". These include its Organisation Validation products and Domain Validated products, which gained CT support in late February. It's also reaching out to other CAs to encourage them to support CT.

Read more about digital certificates

Editorial standards