8 votes

Chrome will soon have its own dedicated certificate root store

9 comments

  1. [5]
    dedime
    Link
    I'm not totally against this, but we need to be aware of the trust were placing in Google, like the trust we placed in our OEM before. Google now has DOH available for Google Chrome. This is...

    I'm not totally against this, but we need to be aware of the trust were placing in Google, like the trust we placed in our OEM before.

    Google now has DOH available for Google Chrome. This is frequently set to use Google's servers. This, combined with a Google controlled root certificate store, means Google could theoretically MITM any HTTPS connection they desired. If Google really wanted, they could target your computer so that requests to e.g. https://yourbank.com resolve to their own (malicious) IP, HTTPS encrypted with their own falsely issued certificate that resides in their root certificate store. Unless the software you use is completely open source, from silicon to application level code, you can't really be sure they aren't already doing this.

    I'm sure there's caveats and other possibilities at play here, but to me the bottom line is we need to continue to aggressively support FOSS software, and especially FOSS software that deals with security, anonymity, and privacy. WireGuard and Matrix are two projects I follow in this space.

    6 votes
    1. [2]
      skybrian
      Link Parent
      If you rely on a vendor for OS or browser security updates, they are already in your trusted base. If your threat model is that someone there is out to get you, it's game over already. I assume...

      If you rely on a vendor for OS or browser security updates, they are already in your trusted base. If your threat model is that someone there is out to get you, it's game over already.

      I assume Google is not out to get me, but I'm getting more concerned about accidents. The really high risk stuff is having your Google account broken into and having your Google account cancelled. The first risk can be fixed with a Yubikey and the second risk can't be fixed at all. If I weren't already all-in with Google, I'd seriously consider not having a Google account or keeping it in some kind of sandbox that you don't use much. (As I do for my Facebook account. I use it only for Facebook itself and (rarely) for Instagram.)

      2 votes
      1. teaearlgraycold
        Link Parent
        Probably the most important part of your Google account is your email address. I would recommend switching to another email provider and that you use an email domain your control. If you can’t do...

        Probably the most important part of your Google account is your email address. I would recommend switching to another email provider and that you use an email domain your control. If you can’t do the former at least do the latter. It’ll allow you to point the same address at a different host if needed which helps you if your Google account is cancelled and when you eventually move away from Gmail.

    2. [2]
      nacho
      Link Parent
      I'm not worried about Google doing this themselves, but what if they're compelled by a government to spoof your web experience?

      I'm not worried about Google doing this themselves, but what if they're compelled by a government to spoof your web experience?

      1 vote
      1. jcdl
        Link Parent
        A three letter agency is most likely going to use one of many certificate authorities in the list rather than compromise Google. That way they can pick one that belongs to all trust stores and hit...

        A three letter agency is most likely going to use one of many certificate authorities in the list rather than compromise Google. That way they can pick one that belongs to all trust stores and hit everyone.

        2 votes
  2. [2]
    jcdl
    Link
    I'm a longtime Firefox user, so this isn't a new idea for me, but it made me think a little bit about who I would trust most to decide which root certs are safe. I don't think there's a practical...

    I'm a longtime Firefox user, so this isn't a new idea for me, but it made me think a little bit about who I would trust most to decide which root certs are safe. I don't think there's a practical difference, at least for me in a 5-eyes country, between the choices Apple, Google, Microsoft, Mozilla, and assorted Linux distro maintainers make. Out of the bunch I'd be inclined to trust Apple the most, but the overlap between them is close to 1.00 anyway.

    6 votes
    1. vord
      Link Parent
      It's probably largely moot, but if it were priority #1 I'd likely try to find common sources across numerous distros, particularily ones based outside the USA and keyservers. But ultimately, if...

      It's probably largely moot, but if it were priority #1 I'd likely try to find common sources across numerous distros, particularily ones based outside the USA and keyservers.

      But ultimately, if I've learned anything from Snowden, it's that security is, at this point, mostly only exists so long as you keep a low profile. If you're targeted to the point it matters that you're in a 5-eyes country, you're likely going to be compromised.

      3 votes
  3. [2]
    skybrian
    Link
    Firefox already does the same. I don't know which is better. Should you trust the OS vendor more or the browser vendor? Clearly you are already trusting both of them. Either way, users are not...

    Firefox already does the same.

    I don't know which is better. Should you trust the OS vendor more or the browser vendor? Clearly you are already trusting both of them. Either way, users are not making their own decisions about which root certificates to trust, and it seems to me that they shouldn't have to. The average user doesn't even know what root certificates are, let alone which roots are good.

    What would user empowerment even look like, when you delegate a decision and don't even know enough to decide who best to delegate to?

    4 votes
    1. Wes
      Link Parent
      Agreed. I'm not sure if I like browsers handling this or not. Browser vendors are usually more agile and quick to adopt best practices, whereas an OS update can take weeks or months to roll out....

      Agreed. I'm not sure if I like browsers handling this or not. Browser vendors are usually more agile and quick to adopt best practices, whereas an OS update can take weeks or months to roll out. From that perspective it probably is better for security.

      And yet... it's more complexity. Having a single canonical source of information is somehow more appealing to me as a developer. Maybe that's the DRY principle rubbing off. I was iffy on Firefox having their own store for the same reason.

      Though I guess I'm a little surprised the Chrome team has held off for as long as they have. They've had some strong opinions on certificates in the past, but this move gives them a lot more room to actually enforce what they consider to be best practices.

      2 votes