In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections.
Since then, CT has caught some pretty egregious offenders, most notably Symantec, whose certificates were nearly phased out of the web earlier this year after being caught in repeated cheats and malpractice.
Now Google -- with help from Mozilla -- is giving the internet death penalty to WoSign and its subsidiary StartCom, Chinese Certificate Authorities who have been caught forging multiple certificates, including fake Github credentials.
Update: Symantec's certificates were not purged from the web in the end; after a substantial wrangle in which Symantec made promises to reform its processes and in which browser vendors reduced their trust levels in pre-reform certificates, a reprieve was sought and won for Symantec's internet trust death-penalty.
The move to begin blacklisting the CA authority occurred last year. In August 2016, WoSign was caught issuing fake HTTPS certificates for GitHub domains, which are a severe security risk as attackers could use the certificate to impersonate GitHub domains to compromise user communications.
Google and Mozilla then teamed up to investigate the CA and managed to uncover other instances of unauthorized certificates being issued.
Chrome version 56 was the first to disallow certificates issued by WoSign and StartCom, after "technical limitations and concerns" raised concerns that the CA was not complying with Chrome's Certificate Transparency policy.
Mozilla also announced plans to ban new certificates signed off by WoSign and StartCom through Firefox 51, released in January.
Google guillotine falls on certificate authorities WoSign, StartCom
A team of computer scientists, psychologists and neuroscientists used eye-tracking and fMRI to measure how users perceived security warnings, such as warnings about app permissions and browser warnings about insecure pages and plugin installations.
Konrad Rieck has data-mined the nine top security conferences, compiling a decade-by-decade list of the papers most often cited in the presentations delivered at these events: top of the pile is Random Oracles are Practical: A Paradigm for Designing Efficient Protocols (Sci-Hub mirror), from the 1993 ACM Conference on Computer and Communications Security. Rieck has […]
A former executive from the data-mining dark operator Cambridge Analytica ‘visited Julian Assange in February last year and told friends it was to discuss what happened during the US election,’ the Guardian reported today. Brittany Kaiser worked as a director there until not long ago, and is reported “to have channelled cryptocurrency payments and donations […]
The human eye is a powerful thing, but it’s not so great at seeing in the dark or around tight spaces, which is partially why most of us struggle with unplugging drains, cleaning under the fridge, and other hard-to-reach jobs. This 1080p HD Waterproof WiFi Wireless Endoscopic Camera, however, gives you the flexibility necessary to get […]
Macs are undeniably some of the most versatile computers on the market, but they can do so much more than what their stock apps allow. For those looking to get the most out of their Mac hardware, the Pay What You Want 2018 Super Mac Bundle features 10 of the industry’s top apps, including photo editors and […]
Salesforce has reinvented the way companies manage customer information, close deals, and ultimately drive revenue, so it should come as no surprise that it’s one of the more valuable skills you can list on your resume today. In fact, according to research from Burning Glass, this platform is now the 7th most in-demand software skill, beating out […]