Google Tackles SSL Certificate Security

By: Doug Caverly - April 1, 2011

Less than a month ago, a security incident involving SSL certificates and at least one Iranian hacker took place, startling more than a few experts in the process. Now, demonstrating its technical expertise and general goodwill (along with a sense of self-preservation), Google’s stepped forward with some thoughts.

Researchers at the search giant are apparently working on two projects, the first of which is called the Google Certificate Catalog. A post on the Google Online Security Blog explained, “The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate.”

Unfortunately, the verification process isn’t too user-friendly right now, but Google’s interested in introducing opt-in support on Chrome at some point.

As for the second project, it’s known as the DANE (DNS-based Authentication of Named Entities) Working Group at the IETF (Internet Engineering Task Force), and it operates on a similar principle.

The post stated, “[T]he idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion.”

Let’s hope one or both of these efforts (or any other project) is able to keep something like the Comodo fraud incident from happening again, in any event.

Doug Caverly

About the Author

Doug CaverlyDoug is a staff writer for WebProNews. Visit WebProNews for the latest eBusiness news.

View all posts by Doug Caverly
  • Krish Purnawarman

    Yes do that Google, making sure CA’s dont give away certificates under your name away.
    Its a crazy world out there…DANE is the solution.

  • Software Solutions

    Yes, the move is praiseworthy and an “opt-in support on Chrome” would be adding more value to it.

  • KamakshiSri

    There is always a solution for a problem. But the solution itself should not give rise to another problem.

    Make the verification user friendly as soon as possible. A chrome extension or add on would be much better.