The Inquirer-Home

Google fights SSL certificate hackers

Protecting the public key infrastructure
Mon Apr 04 2011, 11:56

INTERNET GIANT Google has revealed efforts it is making to secure the Internet's public key infrastructure, after one of its Secure Socket Layers (SSL) certificates was issued fraudulently last month.

Along with Yahoo, Skype, Mozilla, and Microsoft, the search giant was embarrassed after web security firm Comodo found that one of its affiliated registration authorities had been compromised.

This allowed fake SSL certificates to be issued purporting to belong to the big firms involved, although they were quickly revoked before harm was done. SSL is a cryptographic protocol that is supposed to provide protection for Internet communications.

In a blog post, Google said it is working on a "Google Certificate Catalogue", which will be a database of all the SSL certificates its web crawlers see.

Ben Laurie of the Google security team said, "The basic idea is that if a certificate doesn't appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate."

But it is difficult to manually access the data in the Google Certificate Catalogue, so the company is working on ways to add support for it to the Chrome web browser. Google said it will also use DNSSEC, a way to publish DNS records that are cryptographically protected, for the Certificate Catalogue.

Once DNSSEC is more broadly deployed, then Google can push for domain operators to publish information about the SSL certificates on their hosts, a project called DNS-based Authentication of Named Entities (DANE).

Laurie said, "It should be possible, using DANE DNS records, to specify particular certificates which are valid, or [which] Certificate Authority (CA) [is] allowed to sign certificates for those hosts."

"So, once more, if a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015