Google is stepping up its involvement in web security, acquiring several root certificates so that it can issue digital (SSL/TLS) certificates itself rather than rely on third-party firms.
From today on, any develop who wishes to connect to a Google service will need to two root certificates specified by Google. The search giant and the world's most popular website is also now its own root certificate authority (CA).
Google says the reason it’s established its root certificate authority (CA) is because it believes HTTPS, a protocol that encrypts communications between users and websites, is key to the future of a more secure web.
“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority,” Ryan Hurst, a security and privacy engineer at Google, said in a blog post.
Google has created a new company called Google Trust Services (GTS) LLC, which operates its own certificate authorities on behalf of Google and its parent company, Alphabet. GTS now oversees all of Google’s public key infrastructure and the issuance of digital security certificates.
While it will allow Google to accelerate the move to HTTPS for its own products, it also gives it fuller control over certificates for Google domains, enabling it to revoke them if necessary. Google will, for example, oversee the process of validating private encryption keys held by website operators that are seeking a certificate. Should anyone try to get a certificate for a Google domain, it could deny the application.
Google has in the past reacted strongly to rogue and error-prone CA’s that have issued certificates for Google domains, which allowed certificate holders to spoof its sites and intercept user communications.
It follows a recently discovered blunder by Symantec, one of the largest CAs, in issuing several certificates to domains without the domain owner’s knowledge.
Google last year also threatened to distrust Symantec-issued certificates in Chrome after it wrongly issued certificates for several Google domains. Had Google followed through with the threat, sites that used Symantec’s certificates would have been flagged as not safe.
On several occasions CAs have given cause for distrust in their role in securing the web. Mozilla, the maker of Firefox, last year distrusted Chinese CA WoSign, for dubious behavior and before that distrusted Chinese government CA, CNNIC, for issuing certificates that undermined trust.
Reactions on Y-combinator's Hacker News to Google becoming its own CA are mixed.
“You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the Internet,” wrote one user.
On the other hand, what other company is better placed to verify Google domains than Google?
“Instead of a third-party you trust (or rather, your user-agent trusts) vouching that Google's indeed Google, it's now Google vouching for itself, and you trust them by the virtue that they're Google. This ought not be surprising: presumably, who better to say that Google is indeed Google than Google itself?”
To launch its new certificate authority, Google acquired several root certificates from GMO GlobalSign last August and took full control of them in December. It’s now published them on its own site.
“Prior to 11 August 2016, the Roots R2, R4, GTS Root R1, GTS Root R2, GTS Root R3 and GTS
Root R4 were operated by GMO GlobalSign, Inc. according to GMO GlobalSign, Inc.’s Certificate Policy and Certification Practice Statement. Between 11 August 2016 and 8 December 2016, Google Inc. operated these Roots according to Google Inc.’s Certification Practice Statement. As of 9 December 2016, Google Trust Services LLC operates these Roots under Google Trust Services LLC’s Certificate Policy and Certification Practice Statement,” Google says its certificate policy document.
Hurst notes that going forward, any product that connects to Google property will need to to include the GS Root R3 and GeoTrust certificates.
Register your seat at this years CSO Perspectives Roadshow 2017
- Held in a city near you | Across 6 cities with 20 exhibitors and star studded speaker line up including Mark Loveless 'Simple Nomad', Jeff Lanza, former FBI Agent, exclusive speakers from Interpol and a former ex-Lulzsec member, along with 15 top level Industry speakers per state - view speakers now for lineup.
Dont miss out! Register now and save your seat