back to article Obey Google, web-masters, or it will say you can't be trusted

Criminals are about to lose a reliable attack vector for malware infection and phishing, thanks to Google's Certificate Transparency initiative that will force websites to enforce proper certificate security within a year. Stolen and mis-issued SSL certificates allow attackers to spin up malicious sites that pass browser …

  1. Fazal Majid

    Misleading title

    It's the certificate authorities issuing the certificates, e.g. RapidSSL, who have to do the work, not the webmasters.

  2. Anonymous Coward
    Anonymous Coward

    The whole mechanism sucks

    You are still perpetually dependent on a single point of control with no meshing between others.

    The irony was that SSL was never designed as proof of authenticity - all it ever was meant for was encryption. Full stop. The whole eco-system that hangs off the side of the authentication side of things is based on a false premise, and that's the sole single reason for this continuing to be a pain in the neck.

    1. Nick Kew Silver badge

      Re: The whole mechanism sucks

      Yep. Every CA is a single point of failure.

      So it's time to upgrade the Web to use distributed trust authorities. No single point of failure, the attacker has to compromise more than one independent trust authority to impersonate a site.

      That's a central pillar of the M-Pin protocol (currently an IETF draft) and Milagro project (in incubation at Apache). Get on board and secure the web. And (by the way) secure the IoT!

      1. Charles 9 Silver badge

        Re: The whole mechanism sucks

        Instead of compromising the trust authority, they'll just compromise the client instead. Social engineering and such to pull an identity theft.

      2. Charles 9 Silver badge

        Re: The whole mechanism sucks

        P.S. It's always possible to beat a Web of Trust with enough shills, and States are particularly well-resourced regarding identities and shills.

        1. DavCrav Silver badge

          Re: The whole mechanism sucks

          "P.S. It's always possible to beat a Web of Trust with enough shills, and States are particularly well-resourced regarding identities and shills."

          Right, but this is to stop criminals, not state actors. If a nation state wants your data really really badly, they can probably get it, even if they have to send round the heavy mob.

          1. Charles 9 Silver badge

            Re: The whole mechanism sucks

            What about foreign states? This would be an excellent tool of espionage and subversion, and criminals can be sponsored by states or working for them as a plausible deniability angle. Bet you many of the Chinese hackers running today have state backing. Plus what about larger criminal enterprises which are virtually states unto themselves in terms of the power they can pull?

            1. DavCrav Silver badge

              Re: The whole mechanism sucks

              "What about foreign states?"

              They also have the heavy mob. You know, US, Israel, Russia, are all known to do wetwork on foreign soil, and the others probably do too.

              1. moiety

                Re: The whole mechanism sucks

                The authenticity bit is a major pain for me....I'd love to self-sign certificates and encrypt absolutely everything; but you have to cough up money (until recently) and bugger about with 3rd parties none of whom I have any reason to trust and all of whom are tagging your visitors as part of the authenticity check.

    2. bombastic bob Silver badge
      Devil

      The tollbooth is now EXPANDED

      (from topic 'The whole mechanism sucks')

      "The whole eco-system that hangs off the side of the authentication side of things is based on a false premise, and that's the sole single reason for this continuing to be a pain in the neck."

      And the INTERNET TOLLBOOTH, aka "certification authorities", the cottage industry that sprang up in response to the "need", is now ENRICHED by this *kind* of "decision".

      Are we ANY SAFER? what about FIREWALL APPLIANCES that (literally) do a 'man in the middle' and issue their OWN root certificates?

      And, HOW is Google going to 'enforce' a site being UNTRUSTED???

      And then there are the SMALL TIME (and private) web sites that can issue SELF-SIGNED certificates. Will they be automatically downloaded and installed if the user SAYS to do it? Or will they AUTOMATICALLY be BLOCKED now, because, Google?

      And those cottage industries.. the TOLLBOOTH industry... pay the TOLL, or YOU cannot PLAY!

  3. Anonymous Coward
    Anonymous Coward

    Conflicted emotions

    So Google is throwing its weight about again, except it's for making the web a safer place... Yay, I guess?

    1. Pascal Monett Silver badge
      Coat

      Re: Conflicted emotions

      Damn right. I had buried Do No Evil a long time ago and now I'm looking at the grave and feeling quite annoyed actually. Couldn't evil companies just stay evil and be done with it ?

      Okay, I will console myself by thinking that Google has a vested interest in this scheme since . . ummm . . . scammers don't use Google Ads. Yeah, that must be it.

      What a relief, I almost thought I was going to regret something.

      1. Anonymous Coward
        Anonymous Coward

        Re: Conflicted emotions

        .... Google ... ....... .. .. .... ... ... can't be trusted

    2. Version 1.0 Silver badge
      Big Brother

      Re: Conflicted emotions

      The web is NOT a safe place by design - virtually all web sites use so many external links and scripts that the entire process is a joke - this page on El Reg wants me to give it access to admedo.com, dpmsrv.com, google-analytics.com, googletagservices.com, and regmedia.co.uk - any one of these can slip something wet and nasty into my browser and beyond.

      And El Reg is a relatively well behaved site - go to the commercial news sites and they can be asking me to give them access for 50+ sites. Hand me the diagonal cutters please.

      1. Charles 9 Silver badge

        Re: Conflicted emotions

        Well, what do you propose as an alternative? Keep in mind, what one man can make, another man can probably break, regardless of the circumstances.

  4. Dan 55 Silver badge
    Alert

    Five years from now...

    Webmasters! Save yourself all this hassle and the possibility of being blacklisted on Google Search (99.98% marketshare) and Google Chrome (99.99% marketshare) with our new Google CA which takes care of everything for you and improves your pagerank. Just log into your Google account, ask for a certificate, and you will be automatically charged on your credit card. 10% discount if you use your Googlecard.

  5. Howard Hanek Bronze badge
    Childcatcher

    Or

    ...alternatively you can wear your Google Party pin or armband to instill the proper fear and respect as you video conference. It helps to sit near the lens, chin at a slight downward angle using a slow, deep voice. scowling.

  6. Dinsdale247

    Moms going to love this

    Excellent, one more reason for us to ignore certificate warnings. So now when my mothers favorite sewing site has certificate errors that she learns to ignore, it will make her so much safer when "the bank" that is asking her to verify her user information also has certificate errors.

    All those in favour of forking the Internet, raise your hands.

    1. Version 1.0 Silver badge

      Re: Moms going to love this

      "All those in favour of forking the Internet" - I think you have a typo there.

      1. Charles 9 Silver badge

        Re: Moms going to love this

        No, why can't we come up with a nice Internet where we don't have to deal with things like this on an everyday basis?

    2. Edward Clarke

      Re: Moms going to love this

      Change the browser to forbid loading sites with certificate errors. Your mother should be prevented from going to a site that claims to be secure but is not. "http:" is for insecure sites, not "https:". Make the popup message read "This site is insecure but claims to be secure. We suggest you use Lynx to view it.".

      Showing my age...

  7. MSmith

    Next, use Google Certificates

    So after this fails, Google will start issuing their own certificate to make sure it is done right (at a modest charge). All others will be listed as untrustworthy.

  8. Anonymous Coward
    Anonymous Coward

    Google Turning Evil

    I wonder will anyone be brave enough to face this Goliath

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019