cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vt100
Community Champion

Certificate logging by CAs

Google starting to enforce the certificate logging by issuing CAs. For now, non-logged freshly issued certificates will be labeled with notification sign. Legacy certs will be accepted normally.

HTTPS.jpg

 

 

 

 

How do you see this development impacting future of online security and privacy?

10 Replies
Beads
Advocate I

Seems to be great if your a trained InfoSec person. Anyone else is likely to pause and think, "Whatever" and move on.

 

No, I think the browsers will have to be a bit more nanny-ish without getting to in your face and stopping all browsing while you acknowledge this is a new certificate/approach with caution.

 

Google maybe doing some of this in preparation for TLS 1.3 which has some added safeguards. Full disclosure I have finished little less than half of the final draft for TLS 1.3 but will take a second look for something related. Just curious at this time.

Flyslinger2
Community Champion

This is policy enforced by the big gorilla.  Instead of having a policy vetted by Internet organizations, public review and comment and collaboration with industry and government, Google took it upon themselves to ram this down everyone's throats.

 

I want everyone to wear plaid on Wednesdays. If you don't I'm going to remotely lock your pantry so you can't eat. Oh, but wait, I'm no one so this will never happen.

Baechle
Advocate I

v,

 


@vt100 wrote:

How do you see this development impacting future of online security and privacy?


The impact that I see is a lot of people moving back to Firefox/Iceweasel.

 

In my personal assessment, this does not seriously do anything to positively impact the current status quo for web security. In fact, it creates an annoyance barrier to normal use of a single product that I believe people will (temporarily) abandon if it becomes too much of a nuisance.  

 

I fail to see how this framework increases security at this point.  Malicious certificates are still being purchased and issued.  Logs of certificate issuance is being kept for administrative purposes (such as later placing a certificate on a revocation list).  Requiring my browser to go out and parse what I can only imagine is a much larger data set in the logs to double-verify a certificate that is currently valid due to having a non-revoked parent CA signature seems like an incredible waste of time, bandwidth, and processing resources.  If a certificate was issued fraudulently, it was still issued regardless of if its placed in a public log or not.  

 

The question that I think that needs answering is, what protocol should be used to detect the issuance of fraudulent certificates or to malicious users?  I don't think this is it.

 

Sincerely,

 

Eric B.

Flyslinger2
Community Champion


 

I fail to see how this framework increases security at this point.  Malicious certificates are still being purchased and issued.  Logs of certificate issuance is being kept for administrative purposes (such as later placing a certificate on a revocation list).  Requiring my browser to go out and parse what I can only imagine is a much larger data set in the logs to double-verify a certificate that is currently valid due to having a non-revoked parent CA signature seems like an incredible waste of time, bandwidth, and processing resources.  If a certificate was issued fraudulently, it was still issued regardless of if its placed in a public log or not.  

 

The question that I think that needs answering is, what protocol should be used to detect the issuance of fraudulent certificates or to malicious users?  I don't think this is it.

 

Sincerely,

 

Eric B.


Eric,

 

My last project was improving the PKI/IAM for a large US Federal Agency.  We were caught up in this Google fiasco to the point where we had to reissue almost all of our internal certs on the off chance that the agency would come to a screeching halt when this was enacted. Sadly, this agency was also a Google house.  

I have been a proponent of Firefox from the time when it used to be Mozilla.  You are not caught up in business malarky, politics, etc.  I stay away from IE, Google and any other corporately owned browser.

vt100
Community Champion

If you'll get a chance, please expand on your experience mentioned here:

"My last project was improving the PKI/IAM for a large US Federal Agency.  We were caught up in this Google fiasco to the point where we had to reissue almost all of our internal certs on the off chance that the agency would come to a screeching halt when this was enacted. Sadly, this agency was also a Google house."

 

I'd like to better understand the relationship between certs issued by internal CAs and their interaction with Chrome.

 

As to the preference for the Firefox, I agree in principal, but their enterprise management tool is just a few months old and there is no proven track record of its effectiveness but I am keeping an eye on it.

 

From compatibility point of view, the whole situation with browsers is a mess, especially concerning management portals of various appliances. Of late, I had better luck with Opera than Firefox.

 

Not sure where the Iceweasel is from the centralized administration point of view, but it can't be far behind Firefox. Seems unlikely that it'll be adapted in the corporate environments though, as those in general rely on more mainstream browsers, as recognized by policy writers.

Flyslinger2
Community Champion

It's simple. Internal CA's are not trusted by Google.  You have a lot of work to go through to get them approved.

 

I wouldn't recommend Chrome to anyone.

vt100
Community Champion

You mean companies are actually required to register their internal CAs with Google?

If so, any pointers on procedures and gotchas will be appreciated.

Baechle
Advocate I


@vt100 wrote:

You mean companies are actually required to register their internal CAs with Google?

If so, any pointers on procedures and gotchas will be appreciated.


I'm sure there's still a method to import your internal CA certificates for internal use.  

 

If you have your own CA for your external facing sites though, that's a different story.

Flyslinger2
Community Champion

Because the customer was a Google house they had their own google console to make this happen. I do not have an answer for the company that is not a Google house and has their own CA.