A screenshot from the draft of the DANE charter on the IETF website
(WEB HOST INDUSTRY REVIEW) — According to several reports published Monday, a few companies involved in Internet security are floating some new ideas around SSL security in the wake of the breach of several Comodo resellers that led to the issuing of certificates for several firms just over a week ago.
In a post made Friday to the Google Online Security Blog, Ben Laurie of the Google Security Team described several of the efforts the search giant (and browser-builder) is involved in to help tighten security around domains and SSL certificates.
The first is extending the usability of the Google Certificate Catalog, a database of records related to SSL certificates encountered by the company’s web crawlers. The catalog includes information on the first time day the Google crawlers encountered a certificate, the most recent day they encountered it, and the number of days they saw it in between.
“The basic idea,” writes Laurie, “is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate.”
Currently, the information can be accessed programmatically, but it is difficult to get at manually. The company, he says, is talking about adding opt-in support to Chrome, and hopes that other browser manufacturers would follow suit.
The effect of this, he says, would be a system that could automatically flag a potentially-compromised certificate without a person having to notice it.
The second effort in which Google is a part is the DANE working group at the Internet Engineering Task Force. DANE, which stands for DNS-based Authentication of Named Entities, was one of the subjects addressed at the IETF’s 80th meeting, held last week in Prague, Czech Republic.
DANE would see some of the functions of DNSSEC, which enables zone operators to sign and encrypt DNS information for a given domain – a security and trust enhancement in and of itself – bound to other public key-related security tools, SSL certificates being the most relevant example in this case.
A detailed description of the DANE effort is available in the group’s charter on the IETF site.
Additionally, according to a report posted Monday on security publication The H, Comodo vice president Philip Hallam-Baker delivered a presentation at last week’s IETF meeting in which he proposed that a new resource record be added to the DNS specifying which certification authorities are entitled to issue certificates for that domain. The proposal draft was co-authored by two others at Comodo and by Google’s Laurie.
Without DNSSEC, says the H report, the proposed new step would also be susceptible to the risk of spoofing. And the draft proposes that DNSSEC would be optional.
About Liam Eagle
Liam Eagle has worked as a contributor to the Web Host Industry Review since its inception in 2000, and as editor since 2003. He has been editor of the WHIR's print magazine since its launch. His daily involvement in the gathering and reporting of Web hosting news and his regular interaction with Web hosting leaders gives him an uncommonly broad appreciation of the issues and tends facing the business. Through his WHIR blog, Liam spots Web hosting trends and offers opinions on the industry-wide impacts of major developments and the motivation behind big announcements. Follow him on Twitter @liameagle
No related posts.
