It isn't always easy to tell with the SSL system when a certificate authority should be trusted, but Google's Submariner attempts to bring webmasters and users the level of details that can answer the question.
On the Web, behind the scenes, certificate authorities issue credentials for domains and other Internet resources. There are rules in place to make sure the entity requesting the certificate is the legitimate owner, but cyber criminals have successfully obtained fraudulent certificates in the past. This complicates the mission for Google’s Certificate Transparency project, which lets webmasters and users look at all certificates issued by a certificate authority -- but can't include certificates that are no longer trusted.
Submariner fills that gap by listing certificate authorities that were once trusted, but have been withdrawn from Google's root program, said Martin Smith, a software engineer with Google’s Certificate Transparency team. Submariner also includes new certificate authorities that are in the pipeline but have not yet been added to the trusted list by Google's root.
The log will “provide a public record of certificates that are not accepted by the existing Google-operated logs,” Smith said. Initially, Submariner includes certificates chaining up to VeriSign G1 roots, which was discontinued by Symantec in early December. The log also includes roots that are pending inclusion in Mozilla.
Cryptographic keys and digital certificates provide the foundations of online trust and cyber security, which is why certificate reputation is important, said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. By design, certificates are natively trusted by servers and security applications, which helps cyber criminals and other adversaries trying to look like a legitimate entity. With Submariner, it's easier to tell which certificate authorities should not be trusted, so webmasters can avoid mistakenly issued certificates. For example, Dell's eDellroot debacle showed how simple it was to get an unknown root certificate authority to be trusted.
“As we move to an increasingly connected IoT world, with new agile development methods, the number of certificates being issued is exploding. This is making the challenge of knowing what can and can’t be trusted even more obscure and hackers are waiting to profit from the chaos,” Bocek said.
The challenge of knowing whom to trust
For the most part, webmasters have to rely on companies like Google, Mozilla, Microsoft, and Apple to keep the list of trusted certificate authorities up-to-date so that operating systems and browsers know which to accept and which are suspect. Submariner doesn't change the balance of power, but it gives webmasters access to the information.
For example, there is ample evidence that China Internet Network Information Center (CNNIC) -- the Chinese government’s certificate authority -- has misused keys and certificates to conduct man-in-the-middle attacks against users and issued certificates letting adversaries intercept encrypted traffic, Bocek said. Only a year ago, CNNIC was accused of issuing fraudulent certificates for google.com, prompting Google and Mozilla to blacklist the certificate authority. Microsoft, to this day, considers CNNIC a trusted authority, despite past history. Apple initially did nothing, but later moved to limit trust to specific sites.
"When Apple did take action, it was only partial action as it blocked some CNNIC sites and not others," Bocek said. “These companies are making decisions that impact our privacy and security based on self-interest, and that is a worrying situation."
“These decisions and many others about the foundation of Internet security established by digital certificates are made without the knowledge or ability to change by the average user.”
Avoid the bad certificates
Getting a valid HTTPS certificate used to be a cumbersome and time-consuming process, but Let’s Encrypt and similar programs are making it easier for webmasters to request and receive free and automated certificates. However, in several recent instances, certificate authorities have mistakenly issued certificates when they shouldn’t have been able to or have been compromised.
Last fall, Google discovered through its Certificate Transparency project that Symantec had issued an Extended Validation (EV) certificate for google.com without the company’s knowledge. Though the certificates turned out to be for testing and never left Symantec, Google was concerned that Symantec had issued 164 test certificates for 76 domains it didn’t own, and 2,458 certificates for domains that hadn’t been registered. Then there’s StarCom, the sixth-largest certificate authority in the world; it recently fixed a vulnerability in its domain validation process that could be abused by attackers to issue free StartSSL certificates for domains they do not own.