Google launches root certificate authority Google has launched its own root certificate authority. The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services. "As we look forward to the evolution of both the web and our own …
Much bigger than the biggest of self signed certs. A root cert means that you trust all of the unlimited number of certs it has and will ever sign. However as you almost certainly already have 50+ root certs in your browsers root cache that you have given this level of trust (normally by trusting your browser supplier) one more is not so significant, particularly so as you sort of know who Google is unlike some of the other certificate authorities we have blindly chosen to trust.
Well you can remove root certs them from your root cache if you don't trust them, but you do trust them because Microsoft, Mozilla and Google did. Trusting something because someone else does is transitive trust. Some would call it blind trust which is particularly apt as very few people even know that the root cert cache in their browser exists let alone looks at it.
Uhm, all root certs are self-signed.
And it's not the actual root cert that will be used for their sites. It'll be kept very much offline (HSM in a vault/safe, probably), or else they would be very much in violation of any established rules for CAs.
At most this will result in a shorter certificate chain. Usually CAs just sign a couple intermediary certs with their root and then use them to issue certs so a compromised cert will have less impact. Google could conceivably, if their organization allows it, actually sign the certs for their sites directly with the root.
as I understand it, chrome (and now firefox) have extra big/loud security warnings regarding certs, now. Not sure what they look like, but it's interesting timing, right?
Let's hope you can STILL load your own root cert for self-signed stuff in perpetuity, or is there going to be another TOLL BOOTH in the future for the small-time developer and experimenter?
Some things spring to mind... I foresee the G will, in an effort to "increase internet security", plop a new kind of certificates on the general public, beyond EV, which miraculously be supported by G CA and Chrome (and nothing else) from day 0. Hell, if they're audacious enough, they'll limit federated login (do they even still do OpenAuth etc?) to sites having a cert _they_ trust for your page, so no Turktrust, but also no Let'sEncrypt or Deutsche Telekom. Oh, and of course they want to push their transparency logs, which already, going from past reports, can take up to several days to process, because you know who runs enough servers to make sure they dominate those cryptoledgers and get their certs in on the fast lane.
The amount of long game the G plays is scary, better stockpile tin foil.
Consuming other peoples encrypted data makes it harder for the spooks to crack unless there is "depth" much like we saw with Heil Hitler being used repeatedly during WW2 messages, and it also makes it easier for said companies to hack their user's but also an attractive attack vector's for hackers. Question is, will Google have someone on standby ready to enter the password at a moment's notice when their root certificate server needs rebooting? SSL/TLS is not that secure unless you have to enter the password and keyloggers are not installed on the system.
Ok, I know this is an old thread, but did anyone else notice at the time that Google's becoming a root CA coincided with their removal of the certification details link from the little lock icon in Chrome? Now, to my eye, this was because they have every intention of instituting a wide policy of MITM attacks. And what easier way than to show a green "all is good" lock icon, and then hide that fact that the "Trusted" authority signing that certificate is none other than Google themselves!
Yes, you can still view the certificate information, after a long series of clicks. This seems too related to be mere coincidence!
Of course, this is being obfuscated by my own employers MITM attacks "for security reasons". Good lord, the internet is falling apart!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
