Google to tighten SSL certificate security policies

Google will enforce its Certificate Transparency initiative next October, expecting site credentials to comply with its policies in order to to be trusted by the popular Chrome web browser.

The Certificate Transparency initiative aims to sort out structural flaws in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) crypto system.

Chrome is currently the world's most popular web browser, with over a half of the globe's internet users favouring it over Microsoft's Internet Explorer, Mozilla Firefox and other browsers.

Google engineer Ryan Sleevi announced the policy update on an internet forum.

"This is a significant step forward in the online trust ecosystem. The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy internet," Sleevi said.

"The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs."

Sites not compliant with the Certificate Transparency initiative will be flagged by Chrome as dangerous and blocked by an interstitial. This includes sites that use stolen, misconfigured or otherwise incorrect certificates.

The online giant pointed to a Malaysian certificate authority mistakenly issuing 22 weak SSL certificates that could be used to impersonate sites as an example of the need for the change in policy.

Similarly, it noted that TrustWave had issued subordinate credentials of root certificates, allowing a customer to monitor internet traffic through a man in the middle attack.