Google Pushes Transparency for SSL Certificates

The padlock on a browser’s address bar is supposed to give Net travelers some security in insecure virtual space, but that’s not always the case. Some dangerous flaws lurk behind the padlock.

They can weaken the effectiveness of encrypted Internet connections and compromise TLS/SSL processes, including domain validation, end-to-end encryption, and the chains of trust certificate authorities have put in place, Google points out at its SSL certificate transparency website.

The flaws leave the doors open for a wide range of security attacks, including website spoofing, server impersonation and man-in-the-middle attacks, the company said.

In the past, there hasn’t been a way to determine what SSL certificates a certificate authority has issued. That creates a problem because all certificates are trusted by a Web browser no matter who issues it — even though some CAs may have better security and fraud controls than others.

“There are over 300 certificate-issuing authorities, and they’re not all created equal,” said Kevin Bocek, vice president for security strategy and threat intelligence atVenafi.

Early Warning System

Google became concerned over the SSL certificate issuance problem because it saw certificates issued in its name that were being used by criminals and nation-states for fraud and mischief.

It’s spearheading a movement to improve transparency when issuing certificates. When a CA issues an SSL certificate, Google wants notice of that issuance to be posted to a public place.

That public place has become a number of log servers where certificates can be posted before they’re approved. It allows anyone interested in what certificates are being issued to see them before they go live.

“If I’m monitoring one of these log servers, and I see a certificate that’s for my domain, and I know I didn’t request that certificate and don’t do business with that certificate authority, alarms bells should go off,” Bocek told TechNewsWorld.

Weeding CA Ecosystem

Transparency isn’t a panacea for all the ills in the cert system.

“Certificate transparency doesn’t solve all of the trust issues at all, but it does provide a good way to allow certificate misissuance to be detected after the event,” said Robin Alden, chief technical officer forComodo.

If bad SSL certificates can be detected, it will be easier to identify CAs deliberately abusing their authority or accidentally issuing defective certificates, he told TechNewsWorld.

Either way, “their mistakes are likely to be found sooner rather than later, and that helps to reduce the impact of such mistakes,” Alden said.

“Together with widely accepted standards for CAs and an external audit regime, certificate transparency can help both to strengthen the trust in CAs and to weed out any inadequate or malicious CA,” he added.

Reduces Risk

While transparency can address problems CAs acting in good faith may face with issuing SSL certificates, if a CA is hacked, all bets are off.

That’s because if a bad actor is able to gain control of a CA’s machinery to issue certificates, those certificates won’t appear on any Certificate Transparency server. The same is true for unscrupulous CAs that issue certs without prepublishiing them on a CTS.

“Transparency helps reduce the risk,” Venafi’s Bocek said. “It doesn’t eliminate it.”

However, Google has made it difficult in some cases for even those hackers and fly-by-night CAs to get their certificates trusted.

“Google requires that if you issue a certificate with the highest level of trust — the extended validation certificate — you must prepublish that certificate on a Certificate Transparency log server,” Bocek explained.

Urgent Matter

Websites with EV certificates are displayed differently on a browser’s address bar than other websites. The green area beside the padlock icon is longer and usually displays more information about the certificate owner.

“Extended validation requires a great deal effort on the [part of the] person applying for that certificate because they have to prove they are that business,” John Graham-Cumming, a programmer withCloudFlare, told TechNewsWorld.

There is some urgency in solving the problems associated with certificates now, especially before the mandate that all federal government websites have a digital certificate is fully implemented.

“That raises the stakes for certificate authorities. They’re going to become more of a target,” Bocek said.

“We know there are underground marketplaces that are selling digital certificates,” he added. “It’s a commodity that can be quickly monitored.”

Judicial Redress Act

European authorities last week continued their campaign to ensure that the personal information of their citizens stored by American companies meets European Union privacy standards.

Ireland’s High Court ordered an investigation of Facebook to ensure that data gathered from EU users is properly protected from surveillance by U.S. government agencies.

In Austria, an appeals court overturned a lower court ruling that prevented law student Max Schrems from filing a lawsuit against Facebook for a number of alleged rights violations, including its tracking of user data and its involvement with an NSA surveillance program.

Earlier this month, Schrems’ lawsuit resulted in the European Court of Justice invalidating the “Safe Harbor” agreement between the EU and United States. That pact allowed U.S. companies to handle Europeans’ personal data without meeting stringent European privacy rules.

Strengthening Uncle Sam’s Hand

Meanwhile, the U.S. House of Representatives moved to address one of the privacy concerns European authorities raised by passing and sending to the Senate the Judicial Redress Act.

The measure would allow some foreign citizens to challenge in U.S. courts violations of the federal Privacy Act by the U.S. government related to the sharing of law enforcement information between Uncle Sam and some foreign governments.

“This is one of the few instances of the U.S. Congress enhancing the privacy protections of non-Americans,” said Jens-Henrik Jeppesen, the director of European affairs for theCenter for Democracy & Technology.

“While the Judicial Redress Act does not extend the full Privacy Act protections that U.S. citizens receive to EU citizens, it is certainly positive progress in improving how very personal data is shared between the EU and U.S.,” he added.

Passage of the JRA should strengthen the United States’ position when hammering out a new Safe Harbor agreement with the Europeans, noted Berin Szoka, president ofTechFreedom.

“Passage of the Judicial Redress Act is table stakes for the U.S.,” Szoka said. “Without it, the State Department will have no credibility at the bargaining table in negotiating with the Europeans over a replacement for Safe Harbor.”

Breach Diary

  • Oct. 18. Center for Disability Rights in Rochester, New York, issues a statement alleging that protected health information from the Angels of Your Home home care agency was illegally removed by its former CEO and is being used to recruit clients for a new agency, All-American Home Care.
  • Oct. 19. CrowdStrike accuses China of continuing to engage in corporate espionage after it signed an agreement with the United States not to do so.
  • Oct. 19. Sony Pictures Entertainment settles lawsuit with employees for up to $8 million over data breach in 2014 connected to release of The Interview, a comedy set in North Korea.
  • Oct. 19. U.S. Magistrate Judge Laurel Beeler in San Francisco dismisses proposed class action lawsuit by Uber driver Sasha Antman over a data breach in February that resulted in the improper downloading of names and license numbers of 50,000 of the company’s drivers.
  • Oct. 19. Dow Jones denies intruders that earlier this month breached its computer systems were seeking information to be used for insider trading.
  • Oct. 19. Apple files brief in federal court in Brooklyn, New York, stating it’s impossible for it to access data on a locked iPhone running the latest version of iOS. However, it noted it can break into devices running older versions of iOS. The court is considering request by U.S. Justice Department that Apple be compelled to help authorities access an iPhone seized in an investigation.
  • Oct. 20. The High Court of Ireland orders an investigation of Facebook to ensure that data gathered from European Union users is properly protected from surveillance by U.S. government agencies.
  • Oct. 20. Sift Science releases “United States of Fraud Report,” finding users identifying themselves in the 85-90 age range are 2.5 times more likely to be fraudsters than the average user.
  • Oct. 20. South Korea’s National Intelligence Service reports North Korean hackers breached servers at Seoul’s presidential Blue House, stole government audit data from three computers belonging to members of the National Assembly, and removed sensitive data from 11 computers belonging to government aides.
  • Oct. 21. CounterTack|ManTech Cyber Solutions International releases a survey of 639 U.S. IT security practitioners finding that 35 percent of them believe they’ve been the target of a nation-state cyberattack.
  • Oct. 21. An Austrian appeals court overturns a lower court ruling that prevented law student Max Schrems from filing a lawsuit against Facebook for a number of rights violations, including its tracking of user data and its involvement with an NSA surveillance program.
  • Oct. 21. Online Trust Alliance and the National Association of Realtors release a smart home security and privacy checklist to be distributed to the association’s 1.1 million members and used to advise consumers buying or renting a home with smart features.
  • Oct. 22. For third time in the last 12 months, British telecom provider TalkTalk’s website breached placing at risk records of some 4 million customers in the UK.
  • Oct.22. Huffington Post reports FBI and Secret Service are investigating claims by a hacker that he robbed emails from personal accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.
  • Oct. 22. G Data releases its first-half malware report for 2015, finding new malware strains increased 64.8 percent year over year, an average of 12 new strains per minute.
  • Oct. 22. Distil Networks releases 2015 bad bot landscape report finding one-third of $56 billion spent on online advertising annually goes to fraudulent activity.
  • Oct. 23. Victor Hobbs, an FAA aviation safety inspector, files a lawsuit in federal District Court in Idaho against the U.S.Office of Personnel Management because his personal information was compromised in data breach of that agency this year.

Upcoming Security Events

  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28. Using Real-Time Threat Intelligence to Protect Patient Data. 1 p.m. ET. Dark Reading webinar. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: after Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 7. B-Sides Dallas/Fort Worth. UT Dallas, Science Learning Center building. Free.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 10-13. Black Hat Europe. Amsterdam RAI, The Netherlands. Registration: before
  • Nov. 6, 1,295 euros plus VAT; after Nov. 5, 1,495, plus VAT.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 13-14. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free with registration.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, 1,799 pounds plus VAT; solution providers, 2,799 pounds plus VAT. Before Oct. 30 — end users, 1,899 pounds plus VAT; solution providers, 2,899 pounds plus VAT. Standard — end users, 1,999 pounds plus VAT; solution providers, 2,999 pounds plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels