Search
Close this search box.
Search
Close this search box.
Creating a more secure internet with Certificate Transparency

Creating a more secure internet with Certificate Transparency

Meet Linus Nordberg, a NORDUnet software developer on a mission: Making the internet safer for everyone, and working together with Google to make it happen.

The technology is called Certificate Transparency, and is designed to create a more secure internet. Google is the main force behind the development and implementation of Certificate Transparency, but others are taking part as well. Linus and his colleague Magnus Ahltorp have been working on some important pieces of the puzzle since autumn 2014, financed by GÉANT and NORDUnet.
Linus explains:
” Certificates are used to authenticate websites and to create an encrypted channel between client and server. This allows a user to be sure that a website claiming to be her bank is actually her bank and not an imposter trying to trick her, and it prevents outsiders from listening to the transactions. But there are loopholes in the SSL certificate technology currently used. The issue is “misissuance”, i.e. a certification authority having a key compromised, fooled into signing the wrong thing or just being sloppy with what they sign.”

SSL certificates open to scrutiny
” What we are doing is creating transparency by making the issuance and existence of SSL certificates open to scrutiny by domain owners and certification authorities. Certificate Transparency makes it possible for domain owners (i.e. the customers of certification authorities) to check that a certificate for their domain name isn’t issued by anyone else than “their” certification authority, and not at any time they wouldn’t expect.”
” We’re creating an open framework of certificate logs. In this way we can detect security breaches and prevent them from spreading. Certificate Transparency will be a big step forward in protecting the internet, provided it will spread widely to browser vendors and certification authorities.”

Few certificate logs
According to Linus, NRENs have an important role to play in developing and spreading Certificate Transparency.
” For one thing, NRENs have the resources and the infrastructure to run a certificate log. And also, it is in their best interest to make the internet safer for their users. For now NORDUnet is the only organisation besides Google and a group of certificate authorities to run a certificate log. Unlike these logs, our implementation is designed for sharing, helping smaller organisations to team up and running a log together.
The NORDUnet log has been up and running for a year now, and at the end of 2015 NORDUnet submitted it for inclusion in Chrome.
” We hope that it will be included in the security setup of the Google Chrome browser. But that’s not our call,” says Linus Nordberg.

Into the mainstream
When asked about Certificate Transparency finding its way into the mainstream of the internet, Linus Nordberg points to the big browser vendors:
” You have to ask Mozilla, Apple and Microsoft. The browser vendors are a very important key to implementing Certificate Transparency on a large scale. For now, only Google Chrome runs this feature. If you are a Chrome user you may have noticed the url bar turning red or green – green meaning that the url has been verified by at least three logs. Furthermore, Firefox is working on the technology as well.”
Linus Nordberg points out, that although not widely spread yet, Certificate Transparency is making a difference already.
” It is already forcing certification authorities to correct mistakes. As an example, the Certificate Transparency logs discovered, that in September Symantec had issued test certificates, due to a mistake made during a Symantec-internal testing process.”

Catch a lying log
Apart from setting up a certificate log, Linus Nordberg is also working on designing a protocol to ”catch a lying log”, a so-called gossip system, preventing attackers to succeed in creating a split view and presenting different views of the log to different users.
” That is quite a challenge. You need to produce an efficient gossip protocol without compromising the privacy of the user. You have to do it without revealing browser history, and that is difficult.”
Currently 5.9 million certificates are stored on the NORDUnet certificate log server. The NORDUnet and Geant Certificate Transparency project runs until April 2016.

For more information on Certificate Transparency:
The Google Certificate Transparency project: https://www.certificate-transparency.org/
The IETF Working Group on Certificate Transparency: https://datatracker.ietf.org/wg/trans/charter/
A quick look into gossiping mechanisms for Certificate Transparency: https://tools.ietf.org/html/draft-linus-trans-gossip-ct-02

 

Other posts

ANA consortium website launched

ANA consortium website launched

The Advanced North Atlantic (ANA) consortium is a joint effort between nine research and education networking organizations in North America,…
DKCERT hosting TF-CSIRT in Copenhagen

DKCERT hosting TF-CSIRT in Copenhagen

The 71st TF-CSIRT (Task Force on Computer Security Incident Response) meeting will take place in Copenhagen, Denmark on May 13-15…
Terabit network ready for EISCAT_3D

Terabit network ready for EISCAT_3D

EISCAT_3D radar will enhance near-Earth space research – the crucial data network is now ready The European Incoherent Scatter Scientific…
Change of guard at the NORDUnet Board of Directors

Change of guard at the NORDUnet Board of Directors

At the annual shareholder’s General Assembly of NORDUnet today, Guðmundur H Kjærnested of University of Iceland and Pekka Uusitalo of…