As we have stated previously, website owners have a concern that an attacker can have a certificate issued for their domain name. We now have two systems which will help monitor certificates for domains: Certificate Transparency (CT) and Certificate Reputation.
Por Bruce Morton
At the start of 2015, most certification authorities (CAs) support CT as requested by Google. CT works for extended validation (EV) SSL certificates and will allow all EV certificates to be monitored.
In March 2015, Microsoft deployed Certificate Reputation. Through the use of Windows, Internet Explorer and other applications, certificate data for all types of SSL certificates is collected and provided to Microsoft. In addition, Microsoft has stated that they don’t collect any information that could be used to identify the user.
The certificate data is only provided to users who can confirm ownership of the domain. The data is provided through Bing Webmaster Tools and shows data similar to the image below.
The data includes identity information such as the name of the server (Host), the name of the entity (Issued to), and the name of the CA (Issued by). It provides data on how long the certificate has been available (First seen and Last seen) and its validity (Expiry date). It allows the user to download the certificate (Download) and report fraudulent certificates to Microsoft (Report).
In the short-term, there appears to be advantages of Certificate Reputation as it works for all types of SSL certificates and not just EV. It works for all CAs, as the CAs do not need to participate in the Certificate Reputation program. Certificate Reputation is also available to all administrators as Microsoft is providing the information through a portal.
From the disadvantage side, it only provides data from Windows and its applications; however, this should provide a substantial use base.
We are seeing more occurrences of fraudulent certificates being issued, such as the recent problem with CNNIC. It is recommended that domain owners use Certificate Reputation to monitor their domains. In the future, we expect that Microsoft will upgrade the service to provide email notification when a new certificate has been found.
One of the advantages of having multiple certification authorities (CAs) from which to choose an SSL certificate is that customers have flexibility to choose a CA that meets their specific needs, or even use a number of CAs for redundancy or to have access to a broader toolset.
The disadvantage for end users, however, is that they often may not know if a particular CA was authorized to issue the certificate, and there could be a chance that the certificate was fraudulently obtained. Security experts have come out with proposals to allow domain owners to authorize CAs (Certification Authority Authorization), allow the Web server to state which public key is trusted (Public Key Pinning), or allow the owner of a website to monitor certificates that have been issued for their domain (Certificate Transparency).
Microsoft is proposing a solution to improve trustworthiness of certificates: Certificate Reputation. In Internet Explorer (IE) 11, Microsoft will extend the telemetry collected by its SmartScreen Filter to include analysis of SSL certificates presented by websites. Microsoft is creating tools to build intelligence about all certificates issued by every trusted root CA.
One goal of this effort will be to flag potential man-in-the-middle (MITM) attacks where the site uses publicly trusted certificates from public CAs.
Examples of warning flags might include: Website has been issued a subordinate CA certificate capable of issuing other SSL certificates Website presents a different certificate in only certain regions Significant change in the fields of a certificate that a CA usually issues, such as the OCSP responder location Currently, Google and Microsoft are each advancing their own non-conflicting solutions to certificate trust.
Google is promoting Certificate Transparency (CT) as a solution — looking to require CAs to support CT for EV SSL certificates in 2015. This dual approach by these two companies may be good for the public from a defense-in-depth perspective. For comparison, Certificate Reputation supports the following:
Privacy – When a certificate subscriber purchases a certificate for its internal domain name, this domain name will not be available publicly. Data will also be sent encrypted to Microsoft and no personally identifiable information is retained.
Certificate Monitor – Domain owners could be notified by email when new certificates are issued with their domain names.
Scalable – The Certificate Reputation solution is already being implemented and scales without requiring effort or cooperation from any third parties such as website operators or CAs. Microsoft can enhance functionality to its system as needed.
Deployment – Similarly, Certificate Reputation should be easy to deploy as it will only require efforts from Microsoft. The solution will not rely on changes being performed by third parties such as CAs, subscribers, Web server developers, or OCSP developers. Security experts also say there are some disadvantages:
No Public Log – Microsoft will own the database and it will not be made publicly available, nor available for audit.
Sensitivity – Attacks that are highly targeted may be difficult to detect.
All Certificates Not Covered – The solution will rely on the telemetry gathered by the use of IE 11 (and later).
This means it is targeted at certificates that Microsoft browsers encounter and not other applications or browsers. There is also the opt-out issue, where an organization might not provide data back to Microsoft; in this case, the solution will be deprecated for those sites.
Fonte: casecurity.org
