Google publishes list of Certificate Authorities it doesn't trust
Thawte experiment aims to expose issuers of dodgy creds
Google's announced another expansion to the security information offered in its transparency projects: it's now going to track certificates you might not want to trust.
Certificate Authorities (CAs) that your browser (or smartphone) trusts have a suitable entry in “settings”, but if a site presents a certificate from an unknown source, the user is prompted about what to do.
Since users too often click through those warnings, Google's decided that a list of untrusted CAs might be useful to developers and sysadmins.
Mountain View's software engineer, certificate transparency Martin Smith writes that while browser-trusted Certificate Authorities (CAs) are easy to keep track of, there are two classes of CAs that pose a much harder problem.
CAs that have been withdrawn from the trusted list, and new CAs that are on track for inclusion.
“Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties”, Smith writes.
Mountain View has dubbed the new Certificate Transparency log “Submariner”, and hosts it at ct.googleapis.com/submariner. Smith notes that it has the same API as Google's existing CA logs.
The post hints that last year's Symantec certificate SNAFU provided some of the impetus to create a lookup of untrustworthy certificates. Symantec's subsidiary Thawte.com created a bunch of dodgy certificates for internal use – including one for Google.com – that escaped into the outside world.
Those certificates are included on the don't-trust-this Submariner list: “Initially, Submariner includes certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to us that are pending inclusion in Mozilla”, the post says.
While the log provides “a public record of certificates that are not accepted by the existing Google-operated logs”, the list itself won't be trusted by Chrome. ®