Thursday, May 23, 2019

Important Steps Were Taken By Authorities To Protect User’s Information

Believe it or not, but according to Google’s security team, NIC (India’s National Informatics Center) have been issuing unprincipled and dodgy SSL certificates. It has come to notice their that NIC has issued several unauthorized SSL certificates to various Google domains. These unauthorized certificates can be used to bluff and pretend as a legit Google website on different servers and can put user’s information at risk. With the use of such dodgy SSL certificate, it is easy to spy on or fiddle with user’s encrypted communication.
  • Fake Certificate Security Issues
SSL/TLS (Security Socket Layer/ Transport Layer Security) encryption systems are badly hit by this dodgy SSL certificate, which was used to secure https:// connection. Various issues that have been raised so far are listed below:

• A warning was issued by Microsoft over ‘improper issued’ SSL certificate which could have resulted in a phishing attack.

• Apple also got alerted about the critical SSL flaw in Mac OS and iOS

• Google has warned CNNIC, an intermediate certificate authority, about the issuing of unauthorized digital certificates.

  • Certificate Transparency
Google accepts that it is a serious breach of the CA system and such incidents indicate that Google’s Certificate Transparency efforts are critical for protecting the security of certificates in the future. Certificate transparency will help in:

Eliminating security flaws as it will provide an open framework to monitor and audit SSL certificate in near real time.
  • Detect Fake SSLs.
Identifying CAs attempt to issue unauthorized SSL certificates
Pinning public key can specify authorized SSL certificates.
Issuing authorities as well as can reject fake dodge SSL certificates.
  • Google Logging System
Google engineers have come up with a logging system that brings together CAs (ones that are trusted) and CAs working hard to build its goodwill. They have managed to issue a list of these CA’s on a public platform and specified those that are no longer trusted by browsers. The main mission of this system is to:

• Protect its user from fake and illegally issued SSL certificates
• Provide public record information of the certificates issued for specific domains
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)