Before we get into what is certificate transparency and why there is a Google initiative currently running to implement this, let’s understand a bit of the background.
In 2011, the CA DigiNotar’s systems were hacked and a certificate was issued in the name of Google to an entity that was not Google. The speculation rife at that time was that the entity in question was a government body of Iran. When internet users in Iran tried to access Google, they were taken to a server which hosted this bogus certificate and which acted as a man-in-the-middle listening in on conversations. Users across ISPs in Iran experienced this behaviour. Additionally, this behaviour was noticeable sporadically for an hour or two a day. DigiNotar subsequently revoked the certificate.
Under the PKI system of things, DigiNotar was a trusted Certifying Authority – People trusted it to issue digital certificates to organisations after duly ensuring the authenticity of the organization requesting the certificate. DigiNotar failed in this aspect by issuing more than 500 fake certificates. Major web browsers reacted to this large scale issuance of fake certificates by blacklisting the CA itself. The Dutch government took over operation of the CA and in the same month DigiNotar declared bankruptcy.
The reason a hack like this was able to take place was (other than the fact that DigiNotar did not perform its duties effectively) that there was no one checking whether the certificates issued by various CAs are indeed correct and issued to the right organization.
This checking is what the Certificate Transparency initiative is all about.
The certificates issued will be stored in a central repository/ repositories and independent authorities can verify the certificates issued. Browsers can be built perform the same checks.
As of this writing, Google has started a logging service and also updated its Chrome browser (version 33 onwards) to support the feature. Some CAs like DigiCert have also started supporting the initiative.
It’s anybody’s guess whether this initiative will be a success and can indeed plug some of the loopholes in the PKI/ SSL model.
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Comments are closed.