With Certificate Transparency, Google hopes to tackle wrongly issued certificates, maliciously acquired certificates, rogue CAs, and other threats. Google certainly has technology on its side, but it has to convince users that this is the right approach.
DNS-based Authentication of Named Entities (DANE) is another attempt to solve the man-in-the-middle problem with SSL. The DANE protocol reinforces the point that a sound technology solution doesn’t automatically win users. DANE pins SSL sessions to the domain name system’s security layer DNSSEC.
While DANE successfully blocks man-in-the-middle attacks against SSL and other protocols, it is haunted by the specter of state surveillance. DANE relies on DNSSEC, and since governments typically owns DNS for top-level domains, there is concern about trusting federal authorities to run the security layer. Adopting DANE means governments would have the kind of access certificate authorities currently wield -- and that makes users understandably uneasy.
Despite any misgivings users may have about trusting Google, the company has moved forward with Certificate Transparency. It even recently launched a parallel service, Google Submariner, which lists certificate authorities that are no longer trusted.
3. Tackle the malware problem once and for all
Almost a decade ago Harvard University’s Berkman Center for Internet & Society launched StopBadware, a joint effort with tech companies such as Google, Mozilla, and PayPal to experiment with strategies to combat malicious software.
In 2010 Harvard spun off the project as a stand-alone nonprofit. StopBadware analyzed badware -- malware and spyware alike -- to provide removal information and to educate users on how to prevent recurring infections. Users and webmasters can look up URLs, IPs, and ASNs, as well as report malicious URLs. Technology companies, independent security researchers, and academic researchers collaborated with StopBadware to share data about different threats.
The high overhead costs of running a nonprofit took a toll, and the project moved to the University of Tulsa under the auspices of Dr. Tyler Moore, the Tandy Assistant Professor of Cyber Security and Information Assurance. The project still offers independent testing and review of websites infected with malware and runs a Data Sharing Program in which companies contribute and receive real-time data on Web-based malware. Development is underway on a tool to provide more targeted advice to webmasters based upon the type of compromise they have experienced. A beta is expected by the early fall.
But even if a project successfully addresses a security problem, it still has to deal with the practical realities of how to fund its operations.
4. Reinvent the Internet
Then there’s the idea that the Internet should be replaced with a better, more secure alternative.
Sign up for CIO Asia eNewsletters.