Less than a month ago, a security incident involving SSL certificates and at least one Iranian hacker took place, startling more than a few experts in the process. Now, demonstrating its technical expertise and general goodwill (along with a sense of self-preservation), Google’s stepped forward with some thoughts.
Researchers at the search giant are apparently working on two projects, the first of which is called the Google Certificate Catalog. A post on the Google Online Security Blog explained, “The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate.”
Unfortunately, the verification process isn’t too user-friendly right now, but Google’s interested in introducing opt-in support on Chrome at some point.
As for the second project, it’s known as the DANE (DNS-based Authentication of Named Entities) Working Group at the IETF (Internet Engineering Task Force), and it operates on a similar principle.
The post stated, “[T]he idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion.”
Let’s hope one or both of these efforts (or any other project) is able to keep something like the Comodo fraud incident from happening again, in any event.