Wednesday, March 23, 2016

Google boosts HTTPS, Certificate Transparency to encrypt Web

Roundup: Google pushes efforts on HTTPS, Certificate Transparency and more to safeguard the Web with encryption, while other tech firms are eyeing more, stronger encryption.

Google continued its push this week to securely encrypt all Web traffic, going all-out for HTTPS and transparency, as it announced the expansion of its Transparency Report project, along with the release of new tools and resources.
New sections to the report include a page where Google HTTPS efforts can be tracked, as well as a Certificate Transparency log viewer. Google also now reports on HTTPS use by leading websites, listing the top sites running modern HTTPS by default and that support modern HTTPS -- not by default -- with a list of other top sites that have not yet updated to HTTPS.
"Google has been working hard toward our objective of achieving 100% encryption across our products and services," the company wrote, while touting its HTTPS deployment. According to company statistics, as of Feb. 27, 2016, 77% of all requests to Google servers were encrypted.
Google's Gmail service has been encrypting 100% of Gmail connections with HTTPS since 2014, but other services -- such as Google Advertising, Finance, News and Maps -- have lagged behind. Google HTTPS efforts have run into technical obstacles, such as older technology that doesn't support modern encryption, or "political challenges," such as countries that block or degrade HTTPS traffic, according to the company. As of Feb. 27, 58% of Google Finance connections were encrypted with HTTPS; other services did better, with 77% of Advertising connections and 83% of Maps connections being encrypted. The search giant stated that it continues "to work through the technical barriers that make it more difficult to support encryption on some of our products."
The Certificate Transparency log viewer offers users a way to look up all of the digital certificates in public Certificate Transparency logs that have been issued for a given hostname, including expired certificates and certificates for subdomains of a hostname. Certificate Transparency provides a way for certificate authorities to publicly declare certificates they have generated legitimately. Using the logs, it is possible to determine whether an attacker has been issued a certificate for a domain not under the attacker's control, as well as to determine when a CA has been subverted.
The goal of Certificate Transparency is to mitigate flaws in the structure of the SSL certificate system that can "facilitate a wide range of security attacks, such as website spoofing, server impersonation and man-in-the-middle attacks," according to the Certificate Transparency project.
Certificate Transparency got a boost last year when Symantec was caught improperly generating digital certificates; Google subsequently imposed sanctions on Symantec for the breach of protocol.
Google's Transparency Report project aims to offer access to data "that sheds light on how laws and policies affect Internet users and the flow of information online," including statistics on requests to remove content by copyright holders or governments, requests for information about users from governments, European privacy search removal requests and more.

No comments:

Post a Comment