One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8338783 |
| Date de publication | 2023-05-23 12:01:36 (vue: 2023-05-23 17:06:33) |
| Titre | Comment le programme Chrome Root protège les utilisateurs How the Chrome Root Program Keeps Users Safe |
| Texte | Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for securing connections to websites. The Chrome Root Program was announced in September 2022. If you missed it, don\'t worry - we\'ll give you a quick summary below! Chrome Root Program: TL;DR Chrome uses digital certificates (often referred to as “certificates,” “HTTPS certificates,” or “server authentication certificates”) to ensure the connections it makes for its users are secure and private. Certificates are issued by trusted entities called “Certification Authorities” (CAs). The collection of digital certificates, CA systems, and other related online servicews is the foundation of HTTPS and is often referred to as the “Web PKI.” Before issuing a certificate to a website, the CA must verify that the certificate requestor legitimately controls the domain whose name will be represented in the certificate. This process is often referred to as “domain validation” and there are several methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value\'s presence. Typically, domain validation practices must conform with a set of security requirements described in both industry-wide and browser-specific policies, like the CA/Browser Forum “Baseline Requirements” and the Chrome Root Program policy. Upon connecting to a website, Chrome verifies that a recognized (i.e., trusted) CA issued its certificate, while also performing additional evaluations of the connection\'s security properties (e.g., validating data from Certificate Transparency logs). Once Chrome determines that the certificate is valid, Chrome can use it to establish an encrypted connection to the website. Encrypted connections prevent attackers from being able to intercept (i.e., eavesdrop) or modify communication. In security speak, this is known as confidentiality and integrity. The Chrome Root Program, led by members of the Chrome Security team, provides governance and security review to determine the set of CAs trusted by default in Chrome. This set of so-called "root certificates" is known at the Chrome Root Store. How does the Chrome Root Program keep users safe? The Chrome Root Program keeps users safe by ensuring the CAs Chrome trusts to validate domains are worthy of that trust. We do that by: administering policy and governance activities to manage the set of CAs trusted by default in Chrome, evaluating impact and corresponding security implications related to public security incident disclosures by participating CAs, and leading positive change to make the ecosystem more resilient. Policy and Governance The Chrome Root Program policy defines the minimum requirements a CA owner must meet for inclusion in the Chrome Root Store. It incorporates the industry-wide CA/Browser Forum Baseline Requirements and further adds security controls to improve Chrome user security. The CA |
| Envoyé | Oui |
| Condensat | 2011 2022 ability able above accepted accountability achieve actions activities added additional adds administering advocate affects again agile all alongside also announced any applicant application appropriate architectures are attack attackers audits authentication authorities” automating automation available background based baseline because before behavior being believe below best block both browser building by: bypassable ca/browser call called can cas cases cause ccadb certificate certificates certificates” change check chrome circumstance clearly collaborates collection collective collectively commitment committed committee committees communication communications community compatibility comply compromise compromised concerning concerns confidence confidentiality conform connecting connection connections consider considerations continued continuous contributing contributions controls corresponding critical current data deems default defines degrade demonstrate demonstrating depending described determine determines develop digital disclosures discretion discussion distrust does domain domains don driven each eavesdrop ecosystem element elements encouraged encourages encrypted end enhance ensure ensuring entities error essential establish evaluating evaluations everyone evidence example examples exceeds existing expect expected experiences explored fact factors failure feedback focus forum forums forward foundation foundations founded free from further future give goals governance groups happen happening help here high highlights how however https identify illustrative impact implementing implications improve improvement improves incident incidents include: includes inclusion incorporates increasing independent industry information initiative initiatives inputs integrity intercept interested internet; interoperability iran issuance issue issued issuing it: its june keep keeps knowingly known large leading learn led legitimately like limited link logs losing make makes manage management may meet members methods minimum misissuance missed modern modify more must name negatively new newly non not obfuscating occur often once one online only opaque open openness operate opportunities optimistic other otherwise own owner owner: owners ownership page part participant participants participates participating participation patterns perfect perform performing phase pki place placed policies policy positive posted practices preparing presence prevent priorities prioritizes privacy private probability process program program: promote properties proposals proposed proposition protecting provides public purpose quality quantum” quick raise random rare readily realize recognized record reduce reducing referred reinforces related reliable reliably remediate remove reoccurrence report represent represented represents request requestor requirements requirements” resilient result review reviews risk root safe safer same scale secure securely securing security seeing seek september servicews set several share shared similar simplicity situation sole some speak specific specify standards steering store strengthening suggests summary surface sustained systems team then these through thus tl;dr together” transparency trust trusted trusts trustworthiness typically understand understanding untimely unwilling unwillingness upon use used user users uses valid validate validating validation validation” valuable value values various verifies verify violates violating vision weakest web website websites well what when where which whose wide will working world worry worthy you “baseline “certificates “certification “domain “https “moving “post “server “web |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.