Criminals are about to lose a reliable attack vector for malware infection and phishing, thanks to Google's Certificate Transparency initiative that will force websites to enforce proper certificate security within a year.
Stolen and mis-issued SSL certificates allow attackers to spin up malicious sites that pass browser security checks, allowing for near-perfect replica sites to be created. When those sites fake services like online banking or other services that see punters hand over credentials or credit card details, unpleasant occurrences aren't far behind.
Google's Certificate Transparency initiative, adopted as a standard by the Internet Engineering Taskforce, helps to shutter the attack vector by flagging sites with unauthorised certificates and labelling those that do not subscribe to the initiative as untrusted.
Certificate Authorities must comply with the scheme to avoid their customers' sites being labelled as untrusted.
Those authorities that sign on will demonstrate that certificates are legitimate, and not incorrectly issued for the wrong domains.
It would seek to end incidents like the handing of the base certificate for GitHub to British programmer Gervase Markham in August by authority WoSign in one of the latest of a line of similar blunders.
The theory is that opening the issuance of SSL certificates to greater scrutiny to domain owners and users, and certificate authorities will make it "very difficult" for criminals to obtain a SSL certificate for domains they do not own.
If criminals gain such a certificate from a dodgy or incompetent authority, affected domain owners and others will be notified.
Google software engineer Ryan Sleevi says by this time next year Chrome users, who comprise around half of all net surfers, will be told sites that do not comply with Certificate Transparency must be considered dangerous.
"This past week at the 39th meeting of the CA/Browser Forum, the Chrome team announced plans that publicly trusted website certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome," Sleevi writes
"The Chrome Team believes that the Certificate Transparency ecosystem has advanced sufficiently that October 2017 is an achievable and realistic goal for this requirement."
Sleevi says Certificate Transparency has "profoundly altered how browsers, site owners, and relying parties" are able to detect fake certificates and flag those as bad.
Google has requested irked certificate authorities to forward their thoughts on the initiative for consideration.
The initiative determines bad certificates using logs, public server monitors, and light software auditors. ®