Google qui vient de publier un nouveau log au sein de son projet Certificate Transparence.

Google qui vient de publier un nouveau log au sein de son projet Certificate Transparence.

Précisément ce dernier répertorie le nom des autorités de certification indignes de confiance et rejetés par Chrome, ainsi que les autorités de certification en voie d’approbation par les navigateurs. 

Kevin Bocek, VP Threat Intelligence and Security Strategy chez Venafi souligne le fait que Google a une bonne réputation dans ce domaine, contrairement à Apple et Microsoft qui eux ont préféré faire passer leurs profits avant la confidentialité des données, en refusant de bloquer des autorités de certification n’étant pas dignes de confiance comme le CNNIC par exemple. L’idée n’est pas tant de se protéger des faux certificats, mais bien des certificats émis par des autorités légitimes, sans l’aval du possesseur du nom de domaine, et ainsi améliorer la sécurité globale des échanges sur Internet. Il commente : 
« This is a significant step by Google, and a welcome one. Cryptographic keys and digital certificates are powerful and provide the foundations of online trust and cybersecurity. By design, they are natively trusted by servers and other security applications to provide privacy and authorisation for everything that is IP-based today, including servers, clouds, mobile devices, applications and Internet of Things (IoT) devices. Yet this same blind trust is being misused against organisations by cybercriminals so they can appear trusted and monitor and impersonate their targets to execute attacks and steal data. As we move to an increasingly connected IoT world, with new agile development methods, the number of certificates being issued is exploding. This is making the challenge of knowing what can and can’t be trusted even more obscure and hackers are waiting to profit from the chaos. Certificate reputation is therefore increasingly important, for businesses and consumers alike. 

It is good to see that – once again – Google is leading the charge here; judging by past behaviour, I would be doubtful if Apple and Microsoft will follow as they have a tendency to put profits before privacy. For example, there is ample evidence that the China Internet Network Information Center (CNNIC) – the Chinese government’s certificate authority and the organisation responsible for the ‘Great Firewall of China’ – has misused keys and certificates to conduct man-in-the-middle attacks, issuing certificates that enable bad guys to intercept encrypted traffic so that users’ emails, contacts and passwords could be logged by the attackers. 

Last March, CNNIC was shown to have issued a number of fraudulent certificates for In the wake of these incidents, Google and Mozilla blacklisted CNNIC to ensure that their users are protected and made a statement to that effect. Apple ignored the issue at first, and then in July, it took the belated move to limit trust of CNNIC to specific sites. In short, it took three months and then when Apple did take action, it was only partial action as it only blocked some CNNIC sites and not others. Microsoft has remained silent and continues to include CNNIC as a trusted CA. 

So why are Apple and Microsoft continuing to trust CNNIC, despite the obvious security vulnerabilities? Simply put – money. China is a huge market and neither Microsoft or Apple are willing to give up this slice of the pie. Essentially, these companies are making decisions that impact our privacy and security based on self-interest, and that is a worrying situation. This incident illustrates the fact that technology companies are making security and privacy decisions about who and what our devices trust in a way that is driven by revenue concerns and profit margins, and not by security and privacy. Unfortunately, these decisions and many others about the foundation of Internet security established by digital certificates are made without the knowledge or ability to change by the average user. »