In an effort to improve trust in the web, Google released a new tool for tracking fraud CAs.
Google has decided to implement a set of tools to monitor the digital certificate providers that can deal with fraud. This set of tools, called Certificate Transparency (CT), is a logging system for digital certificates. This system helps to protect Chrome users from all kinds of wrong-issued the SSL certificates which, for example, were generated by Symantec in the past for certain Google domains.
The incident led to a tough response from Google, which demanded that a June 1, 2016 Symantec logged all certificates issued in Chromium CT, otherwise the web sites that will receive these certificates will be marked as dangerous in Chrome.
Any owner of a certificate can potentially create a page that will be positioned as HTTPS-protected, but will be used for phishing. This happened in 2011, when the fake certificates from DigiNotar applied for Iranian Google-users.
According to an engineer from Google Martin Smith, CT data help to protect users from these fake certificates. The system uses a cryptographic verification mechanism to perform public audits of certificates issued for the domain.
Until recently, Google kept its own logs for the CAs, trusted in browsers, but there was no log for untrusted root CAs. These logs include CAs who have lost their trust as a result of root programs, as well as new CAs that are still in the process of getting trust.
The first example – two root Verisign certificates, for which Google withdraw the trust last December in the Chrome and Android. According to Smith, the logging for them is problematic due to the fact that there is uncertainty in terms of their revoking policy and the possibility of attacks with cross-signing.
This log will be not trusted in Chrome, and will include certificates that are not supported by the current Google-logs, Smith said.
Log is available at ct.googleapis.com/submariner.