Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: Trust and verify for network certificate roots

Glenn Fleishman | March 27, 2015
In a post on March 23, Google's security team explained that it had discovered that someone was delivering digital certificates to users for Google domains that weren't authorized by Google. A quick investigation discovered that a Chinese certificate authority (CA), CNNIC, had improperly given a reseller enough power to create verifiable certificates for any domain in the world.

When CT is fully implemented in browsers and operating systems alongside pinning, a certificate that doesn't appear in the corresponding CA's certificate-issuing list or that fails a pinning test will give a user a chance to react. CT will also be used by companies like Google and independent security organizations to monitor actively for problematic security documents.

Pinning, and soon certificate transparency, absolutely do not solve all problems related to misuse of certificates. But on their own and together, they reduce the area of potential of harm by making it far harder for a sniffer to obtain a certificate and insert themselves into a secure connection without being immediately caught.

The alerts that browsers will provide will allow users quite legitimately to feel as if they are part of the effort to provide integrity to the Internet's plumbing.

 

Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.