In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections.
Since then, CT has caught some pretty egregious offenders, most notably Symantec, whose certificates were nearly phased out of the web earlier this year after being caught in repeated cheats and malpractice.
Now Google -- with help from Mozilla -- is giving the internet death penalty to WoSign and its subsidiary StartCom, Chinese Certificate Authorities who have been caught forging multiple certificates, including fake Github credentials.
Update: Symantec's certificates were not purged from the web in the end; after a substantial wrangle in which Symantec made promises to reform its processes and in which browser vendors reduced their trust levels in pre-reform certificates, a reprieve was sought and won for Symantec's internet trust death-penalty.
The move to begin blacklisting the CA authority occurred last year. In August 2016, WoSign was caught issuing fake HTTPS certificates for GitHub domains, which are a severe security risk as attackers could use the certificate to impersonate GitHub domains to compromise user communications.
Google and Mozilla then teamed up to investigate the CA and managed to uncover other instances of unauthorized certificates being issued.
Chrome version 56 was the first to disallow certificates issued by WoSign and StartCom, after "technical limitations and concerns" raised concerns that the CA was not complying with Chrome's Certificate Transparency policy.
Mozilla also announced plans to ban new certificates signed off by WoSign and StartCom through Firefox 51, released in January.
Google guillotine falls on certificate authorities WoSign, StartCom
It's been less than a year since a public-spirited hacker broke into the servers of Florida stalkerware vendor Retina-X, wiping out all the photos and data the company's customers had stolen from other peoples' phones (including their kids' phones) by installing the spying apps Phonesheriff on them.
A pair of researchers from Toronto's storied Citizen Lab (previously) have written an eye-opening editorial and call to action on the ways that repressive states have used the internet to attack dissidents, human rights advocates and political oppositions -- and how the information security community and tech companies have left these people vulnerable.
Radiflow reports that they discovered cryptojacking software -- malware that mines cryptocurrency -- running in the monitoring and control network of an unnamed European water utility, the first such discovery, and a point of serious concern about the security and integrity of critical infrastructure to both targeted and untargeted attacks.
Trains may not be the most popular means of conveyance nowadays, but chances are you grew up playing with toy trains or building a model set to wrap around the Christmas tree. In either case, it’s safe to say that locomotives have long carried a unique sense of awe and scale, especially when they’re hundreds […]
When it comes to redesigning or renovating a living space, envisioning changes before they occur can be tricky for most. Thankfully, the web is home to tools that can remove some of the guesswork, like Live Home 3D Pro for Mac. This app lets you create detailed and furnished floor plans for everything from sheds and […]
For many startups and fledgling businesses, web hosting — and the fees associated with it — can take a sizeable chunk out of the company budget and limit growth down the road. But, that’s not to say there aren’t hosts out there who can get your site online while staying within your budget. Arch Hosting is a […]