martes, enero 27, 2015

Certificate Transparency

You might hear about "Certificate Transparency", but what is the main goal of this framework?
Just to set the bar, we know that certificates are issued by hundred of different CA across the globe to validate the identity of a company/person and to establish secure communication between two parties. Because there is not a centralised repository and service that can globally check whether these certificates truly belong to a company/person, we might find some spoof certificates issued by company xyz looking for to intercept user's communications and capture valuable information. We have seen this a lot within the last years and that's why we need some sort of new framework that help us to protect users and companies against this attack vector around certificates, and there is where "Certificate Transparency" shows up.
Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:
- Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
- Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
- Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificate Transparency satisfies these goals by creating an open framework for monitoring the TLS/SSL certificate system and auditing specific TLS/SSL certificates. This open framework consists of three main components, which are described below.
For further reference please visit: http://www.certificate-transparency.org