Google fights to make HTTPS safe

A number of hack attacks recently have made many question the fundamental security of the Internet -- hack attacks that have brought into question a system that until now was considered be bullet-proof. However, with appropriate good timing, two new security schemes are coming to the rescue.

HTTPS Hacks: A Brief Synopsis

Hypertext Transfer Protocol Secure -- or HTTPS -- is the technical name for the padlock system used within Web browsers that shows if a secure connection is in use. It’s typically used by online banking sites and Webmail providers, and it relies on a document known as a security certificate, which is issued by a trusted number of certificate authorities (CAs) around the world. Web browsers use these certificates to verify the authenticity of various sites.

However, in March a hacker (or hacker group) called Ich Sun accessed the computer systems for Comodo -- the second largest CA in the world -- and used its systems to issue frudulent certificates for Google, Yahoo, Skype, and Hotmail, amongst others. These certificates could be used to make a fake site look legitimate. The certificates were hastily revoked once the hack was discovered, and Microsoft issued an update to ensure that Windows users weren’t duped.

A few days ago, Ich Sun hit the headlines again, this time claiming to have breached several more CA systems. It’s not clear if Ich Sun issued any other certificates at this time.

This sort of certificate theft isn’t a huge threat unless it’s used as part of a highly sophisticated hack attack involving taking control of Internet domain-name servers. Feasibly, Ich Sun could have issued certificates for domains that look like the real deal -- rather than, for example. These could then have been used in phishing attacks in which people, seeing the trusted padlock symbol provided by the fraudulent certificate, simply wouldn’t be see they were being fooled.

But help is on the way.

New Security for New Threats

The first new development is DNSSEC, as I explained in my earlier story. Assuming this takes off over the coming years (it was only enabled for the .com domain last Thursday), it should provide a reasonable method of proving that we’re connected to the site our browser says we are.

Secondly, Google has begun building what it calls the Google Certificate Catalog. This is a Web-accessible database of what Google considers to be valid security certificates. It’s updated as frequently as Google’s search catalog because the same Web crawler bots collect the data.

Although it’s at an early stage right now, the catalog indicates not only if a certificate should be considered valid but also for how long Google has known about it. The simple concept is that, if the Google Certificate Catalog doesn’t know about a certificate, it should be considered questionable.

It’s possible to probe the database right now but it’s not easy and requires a Linux or Mac command-line (the database is stored in the form of a domain-name server so can be queried easily). In future there’s a chance the feature will be built-into browsers like Google Chrome or Mozilla Firefox although it will have to be a user-selected option because the results will require interpretation -- a certificate that’s only been in the database for one day doesn’t necessarily indicate shenanigans, for example. It could be that the certificate has recently been renewed.

The project is very similar to Perspectives, an open system created by a handful of security researchers. However, Google’s system has the simple advantage of being created by an Internet heavyweight. Google says the catalog is available to whoever wishes to use it.

Many are suggesting that the Comodo attack along with others from Anonymous over the wikileaks affair are beginning to expose how insecure the Web is now the 21st century is under way. This is certainly a challenging time but with companies like Google, Mozilla and Microsoft providing frequent updates to their browsers, along with technological advancements, there’s no evidence to suggest that technology has stagnated and that we can’t keep abreast of current events.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityHTTPS

More about ComodoGoogleHotmailLinuxMicrosoftMozillaSECSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts