Google Online Security Blog

Time to challenge yourself in the 2023 Google CTF!

May 26, 2023

Vincent Winstead, Technical Program Manager

It’s Google CTF time! Get your hacking toolbox ready and prepare your caffeine for rapid intake. The competition kicks off on June 23 2023 6:00 PM UTC and runs through June 25 2023 6:00 PM UTC. Registration is now open at g.co/ctf.

Google CTF gives you a chance to challenge your skillz, show off your hacktastic abilities, and learn some new tricks along the way. It consists of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. Use obscure security knowledge to find exploits through bugs and creative misuse. With each completed challenge your team will earn points and move up through the ranks.

The top 8 teams will qualify for our Hackceler8 competition taking place in Tokyo later this year. Hackceler8 is our experimental esport-style hacking game, custom-made to mix CTF and speedrunning. In the competition, teams need to find clever ways to abuse the game features to capture flags as quickly as possible. See the 2022 highlight reel to get a sense of what it’s like. The prize pool for this year’s event stands at more than $32,000!

Screenshot from Hackeler8 2022 speedrun competition

Itching to get started early? Want to learn more, or get a leg up on the competition? Review challenges from previous years, including previous Hackceler8 matches, all open-sourced here. Or gain inspiration by binge watching hours of Hackceler8 2020 videos!

If you are just starting out in this space, check out last year’s event H4CK1NG GOOGLE! It’s a great way to get acquainted with security. You can also get ready for this year’s Beginner’s Quest that’ll be launching later this summer which will be in the theme of Computer History, so get ready for some technology archaeology.

Whether you’re a seasoned CTF player or just curious about cyber security and ethical hacking, we want you to join us. Sign up to expand your skill set, meet new friends in the security community, and even watch the pros in action. For the latest announcements, see g.co/ctf, subscribe to our mailing list, or follow us on Twitter @GoogleVRP. Interested in bug hunting for Google? Check out bughunters.google.com. See you there!

Google Trust Services ACME API available to all users at no cost

May 25, 2023

David Kluge, Technical Program Manager, and Andy Warner, Product Manager

Nobody likes preventable site errors, but they happen disappointingly often.

The last thing you want your customers to see is a dreaded 'Your connection is not private' error instead of the service they expected to reach. Most certificate errors are preventable and one of the best ways to help prevent issues is by automating your certificate lifecycle using the ACME standard. Google Trust Services now offers our ACME API to all users with a Google Cloud account (referred to as “users” here), allowing them to automatically acquire and renew publicly-trusted TLS certificates for free. The ACME API has been available as a preview and over 200 million certificates have been issued already, offering the same compatibility as major Google services like google.com or youtube.com.

The Automatic Certificate Management Environment (ACME) protocol enables users to easily automate their TLS certificate lifecycle using a standards based API supported by dozens of clients to maintain certificates. ACME has become the de facto standard for certificate management on the web and has helped broaden adoption of TLS. The majority of all TLS certificates in the WebPKI today are issued by ACME CAs. ACME users experience fewer service outages caused by expired certificates by using ACME's automated certificate renewal capabilities. Manual certificate updates are a common source of outages, even for major online services. Sites already using ACME can configure multiple ACME providers to increase resilience during CA outages or mass renewal events.

What customers say

During the preview phase, the ACME endpoint has already been used extensively. The number of certificates requested by our users has driven up the GTS issuance volume to the fourth largest publicly trusted Certificate Authority.

"At Cloudflare, we believe encryption should be free for all; we pioneered that for all our customers back in 2014 when we included encryption for free in all our products. We're glad to see Google join the ranks of certificate authorities that believe encryption should be free for everyone, and we're proud to offer Google as a CA choice for our customers. Their technical expertise guarantees they'll be able to scale to meet the needs of an increasingly encrypted Internet," says Matthew Prince, CEO, Cloudflare.

Making the Web Safer

The Google Trust Services ACME API was introduced last year as a preview. The service recently expanded support for Google Domains customers. By further opening up the service, we're adding another tool to Google’s Cyber Security Advancements, keeping individuals, businesses, and governments safer online through highly trusted and free certificates. We're also introducing two significant features that further enhance the certificate ecosystem: ACME Renewal Information (ARI) and Multi-perspective Domain Validation. ARI is a new standard to help manage renewals that we're excited to support. General availability of multi-perspective domain validation brings the benefits of years of work to increase the security of Google's certificates for all users.

ACME Renewal Information (ARI)

ACME Renewal Information (ARI) addresses the longstanding challenge of knowing when a certificate must be replaced before its standard renewal period via an API.

ARI is an Internet Engineering Task Force (IETF) Internet Draft authored by Let’s Encrypt as an extension to the ACME protocol. It helps service operators automatically replace their certificates in case revocation must occur before the certificate expires.

Serving certificate renewal information via ACME is particularly useful for managing large certificate populations. ARI could have potentially made a difference in past certificate replacement events affecting large parts of the WebPKI, including the 2019 serial number entropy bug affecting multiple CAs which forced rapid replacement of hundreds of thousands of certificates.

Multi-Perspective Domain Validation

Multi-perspective domain validation (MPDV), enhances the validation process for certificate issuance. Publicly-trusted CAs, like Google Trust Services, ensure only authorized requesters can obtain certificates for a given domain name by confirming the requester can prove control over the domain via validation challenges. Domain validation provides a high level of assurance under normal conditions. However, domain control validation methods can be vulnerable to attacks such as DNS cache poisoning and Border Gateway Protocol (BGP) hijacking.

With MPDV, domain control verification is performed from multiple locations, referred to as “network perspectives.” Using multiple perspectives significantly improves the reliability of validation by preventing localized attacks from being able to fool validation checks. Let’s Encrypt adopted the first at-scale MPDV implementation, which performed the validation from three different network perspectives and required a quorum before issuance.

Our approach is similar. We also require a quorum of different network perspectives, but thanks to the scale and reach of our infrastructure, we have thousands of egress points forming “regional perspectives” that deter attackers from compromising enough targets to secure an invalid validation.

How do I use it?

Please see the Public CA Tutorial. The ACME API is free and available to anyone with a Google Cloud account. More information is available at pki.goog.