Put your trust in knowing untrusted certificate authorities

Put your trust in knowing untrusted certificate authorities

Confidence in browsing the web or conducting online transactions depends on the veracity of digital certificates that are issued by certificate authorities (CAs) to help ensure secure Internet connections. While it’s important to know which CAs can be trusted, Google has started to maintain a list of untrusted CAs, which it’s calling Submariner.

The company’s logs initially included just browser-trusted CAs, but Google wanted to include CAs that were once trusted and have since been withdrawn from root programs, as well as  new CAs that are on the path to inclusion in browser trusted roots.  The company believes these CAs’ activities are still useful to keep track of.

Submariner will provide a public record of certificates that are not accepted by existing Google-operated logs. Google also wants third parties to suggest additional roots for potential inclusion in Submariner.

Both the good and bad of CAs have been on display the last year. A site launched in December, called Let’s Encrypt, allows webmasters to easily obtain free and automated HTTPS certificates. There have also been misused and compromised CAs, including Google having to block fraudulent certificates it found in Chrome. So having a place that people can check to see what’s happening on the untrusted side of CAs is a good balance.

About the Author

Brian Robinson is a freelance technology writer for GCN.

inside gcn

  • cybersecurity (vs148/Shutterstock.com)

    NIST lays groundwork for encrypting IoT devices

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group