Google would be shortage recently that an intermediate certificate authority issued nonauthorized certificates SSL to several of her domains.
In an attack of this type, a certificate authority can try to be the true authority certificate sender, mainly if the first company is made happen through an official certifier, who is what she happened to him to Google. In this case, according to Google it indicates – the original Certificate Authority, CNNIC (the Information center of Network of Internet of China) must never have given to such power to MCS Holding company in the first place.
It is necessary to repair system SSL?
The problem with system SSL is that it is based on the idea that the certifiers authorized always will issue good certificates. History has demonstrated that this simply is not truth – multiple certificate authorities have been hackeados, including companies as Verisign and now the extinct DigiNotar. Google wants to reform the process of certificate expedition with its initiative Certificate of Transparency. This project would consist of:
That it is impossible (or at least very difficult) for an authority certifier (CA) to issue a certificate SSL for a domain without the certificate is visible for the owner of that domain.
Deliberately to provide a system of audit and open supervision that allows any proprietor of domain or CA to determine if certificates by error have been emitted or.
To protect deliberately to the users (as much as it is possible) of being deceived with certificates issued by error or.
The certificates would be registered, and the registries would be supervised by servers public whom they would verify periodically if these are being used in malicious or nonauthorized form. Finally, the registries and the monitors would be guarded by a program of coding monitoring, that would assure that the certificates SSL have been connected correctly and that the registries were not manipulated.
The other problem with system SSL, beyond the fact that it is based on the intrinsic confidence, is that the system can be destabilized easily. That is to say, unless the certificates issued by a particular authority are revoked, these certificates can continue being used to cause damage.