Google aims to improve online security with new certificate service

Most of the internet relies on a system called public key identification in order to provide security and authentication between systems. This relies on a number of trusted parties generating these secure certificates, which other users may then verify so as to ensure encrypted data is being sent to the right organisation, for example.

However, this infrastructure is not as entirely secure as many organisations involved heavily in the web would like. For example, there have been allegations of politically-motivated attacks on so-called "Root Authorities" (who provide a trusted source for certificate signing) in recent weeks.

To this end, Google have announced a new initiative which developers may like to leverage in order to improve the security of certificates that they see. It comes in the form of an API through DNS lookup, which can be used to verify that a certificate has not been recently modified, indicating a likely hijacking attack.

The Google Certificate Catalog is a database that Google's crawlers construct when they encounter certificates when they crawl the web. When a certificate is looked up in the Catalog via a TXT DNS query, if it shows up then it must be correctly signed and be applicable to the correct domain. The response also returns the first day, most recent day, and total number of days Google has observed the certificate in that state. Combine these features together, and you have a powerful method of augmenting security checks on security certificates.

Google is aiming to get browser vendors on board with the API, as it has done with its Safe Browsing API, and if developers want to get started using the API they can check out the website.

You might also like...

Comments

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“It works on my machine.” - Anonymous