Google has begun building what it calls the Google Certificate Catalogue in an effort to ensure HTTPS browsing remains safe. HTTPS – or Hypertext Transfer Protocol Secure – is the technical term for the padlock system used within web browsers that shows whether a connection is secure. It’s typically used by online banking sites and webmail providers, and relies on a document known as a security certificate. These are issued by a number of trusted certificate authorities (CAs) around the world. Web browsers use security certificates to verify the authenticity of various sites. However, earlier this year a hacker called Ich Sun accessed the computer systems for Comodo – the second-largest CA in the world – and used them to issue fraudulent certificates for Google, Microsoft, Skype and Yahoo, among others. Certificate theft isn’t a huge threat, unless it’s used as part of a highly sophisticated hack attack that involves taking control of internet domain-name servers.
Feasibly, Sun could have issued certificates for web domains that look like the real deal -for example, paypall.com rather than pavpal.com. These could then have been used in phishing attacks in which people were fooled by the trusted padlock symbol provided by the fraudulent security certificate. However, Google’s catalogue, which is a web-accessible database of what the search giant considers to be valid security certificates, hopes to help eradicate such problems. It’s updated as frequently as Google’s search catalogue, because the same web crawler bots collect the data. Although it’s at an early stage, the catalogue indicates not only if a certificate should be considered valid, but also for how long Google has known about it.
The simple concept is that a certificate should be considered guestionable if the Google Certificate Catalogue doesn’t know about it. In future, there’s a chance that the feature will be built into web browsers. However, users would need to opt into the service, since the results will require interpretation. A certificate that’s been in the database for only one day doesn’t necessarily indicate dodgy shenanigans, for example, and it could be that the certificate has recently been renewed. Google’s catalogue is available to whoever wishes to use it.