Google Submariner Logs Untrusted CAs

Google announced on Monday that it has created a new list of CAs that were once, or are not yet, trusted by browsers.

Google wants the internet to know that it’s keeping track of deployed certificates, whether they’re trusted or not.

While the search behemoth has long maintained a list of trusted Certificate Authorities, it announced on Monday that it has created a new list of CAs that were once, or are not yet trusted, by browsers. Dubbed Submariner, the log culls CAs that were trusted at one point but have since been withdrawn from their root programs, in addition to new CAs that are in the pipeline and working toward being trusted.

According to Google, until now, keeping a record of such CAs has been difficult.

“Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties,” Martin Smith, a Software Engineer with Google’s Certificate Transparency team wrote Monday.

Google hopes that first and foremost the list, located at ct.googleapis.com/submariner, can serve as a public record for issued certificates. It also hopes it can act as a resource for webmasters and users looking to protect themselves from mis-issued certificates.

The company acknowledges that while naturally the list won’t be trusted by Chrome, it’s “still useful.” Google is encouraging anyone who may have any additional roots to include in Submariner to contact the team via email.

With the recent launch of Let’s Encrypt, a service that issues free and automated HTTPS certificates, webmasters looking to deploy encryption on their sites have never had it easier. On the other side of the coin however, the last several years have brought a scourge of mis-issued certificates and CA compromises.

In the last year alone, certificate authority Comodo mistakenly issued eight certificates with forbidden server names, Microsoft had to revoke trust for four certs inadvertently leaked by D-Link, along with another certificate, eDellroot, shipped on several Dell machines.

To illustrate some of the problems surrounding certificate security further, it was around this time last year that Google had to block certificates issued for a handful of its own domains after a Chinese CA using an intermediate CA was found to be able to issue certificates for any domain.

Suggested articles