Check out Maintaining digital certificate security by Adam Langley over on the Google Online Security blog. Bad certs in the wild, many Windows users (but not on Firefox) vulnerable. This is very, very bad. Let me elaborate a bit and explain how Google could solve this problem.
Digital certificates (everyone says “certs”) are a key ingredient in making the Web secure enough that you can use it for banking and buying things. You need one if you want to operate a web address starting with “https:”. You buy them from a “certificate authority” (everyone says “CA”).
Fortunately, they’re cheap and reliable and pretty easy to use. These days, you can get them for free for some applications. Plug: I got mine for tbray.org from SSLs.com; it was easy, straightforward and cheap.
Unfortunately, the CA business is poorly regulated, there are too many of them, and some have questionable competence and/or ethics, this most recent story being an example. If your security gets compromised, do you care whether it’s because the cert provider screwed up, got bribed by a crook, or was “persuaded” by an intelligence agency? I don’t. But these things happen.
Specifically: When a screw-up like that one in India happens, it means that if bad guys got their hands on those fake Google certs (and maybe some did) they could pretend to be google.com and steal your Google account (and maybe some did).
Since the cert infrastructure is just as essential to modern commerce as are accounting standards or liability rules, the natural thing would be to call for auditing and regulation. We sort of already have this, there’s an auditing scheme called “WebTrust”. But it doesn’t inspire much confidence; check out its only online presence, apparently at a Canadian accounting-standards site, webtrust.org. Also, empirically, there are regular bogus-cert stories.
It does seem to me that some head-bashing by governments to stiffen up the auditing standards and make them more transparent might be useful here. On the other hand, this could drive up the cost of certs; and also many people are nervous, for good reason, about government over-regulation and over-reach.
But Google could solve the problem. When I was working there, a couple non-Googlers told me “Google should just wade into that biz, provide a super-cheap, super-friendly, super-reliable cert store, and drive the morons and crooks out of business.” The more I thought about this, the more it made sense to me.
It still does. Google has the security infrastructure and scale to do it better and cheaper and faster and safer. The status quo is bad for Google and bad for the Internet. The only other companies with comparable scale and reach at the moment are, in my opinion, Facebook and (maybe) Microsoft. I think it would make perfect sense for either of them to get into the biz as well.
If Google did, it would probably suck the money out of this whole sector and maybe destroy operators like the apparently-nice-guys over at SSLs.com. Which would be a sad but appropriate consequence of capitalism.