back to article Google launches root certificate authority

Google has launched its own root certificate authority. The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services. "As we look forward to the evolution of both the web and our own …

  1. Forget It

    The biggest self signed certificate in the world, then?

    1. Anonymous Coward
      Anonymous Coward

      Yes, to better intercept you with. You're now not going to notice an MITM attack if Google is helping..

      Dang, yet another thing to monitor: my root cert stores. I don't want any website with a Google certificate representing themselves as safe.

      1. Anonymous Coward
        Anonymous Coward

        google authentication

        is there a way to get ssl ca without going thru a thrid party that wants to charge u for the cert so ur security is not freaking out ?

        1. patrickstar

          Re: google authentication

          No, unless you have some magic ability to get your root cert into the major browsers without spending a lot of money. Which you probably don't.

          However, there are CAs that issue certs for free. Lets Encrypt ( ) being the standard one.

    2. Anonymous Coward
      Anonymous Coward

      Much bigger than the biggest of self signed certs. A root cert means that you trust all of the unlimited number of certs it has and will ever sign. However as you almost certainly already have 50+ root certs in your browsers root cache that you have given this level of trust (normally by trusting your browser supplier) one more is not so significant, particularly so as you sort of know who Google is unlike some of the other certificate authorities we have blindly chosen to trust.

      1. Anonymous Coward
        Anonymous Coward

        Blindly CHOSEN to trust?

        No one chose to trust all those, Microsoft, Mozilla and Google did, and embedded the list in our browser's default install.

        1. Anonymous Coward
          Anonymous Coward

          Re: Blindly CHOSEN to trust?

          Well you can remove root certs them from your root cache if you don't trust them, but you do trust them because Microsoft, Mozilla and Google did. Trusting something because someone else does is transitive trust. Some would call it blind trust which is particularly apt as very few people even know that the root cert cache in their browser exists let alone looks at it.

    3. patrickstar

      Uhm, all root certs are self-signed.

      And it's not the actual root cert that will be used for their sites. It'll be kept very much offline (HSM in a vault/safe, probably), or else they would be very much in violation of any established rules for CAs.

      At most this will result in a shorter certificate chain. Usually CAs just sign a couple intermediary certs with their root and then use them to issue certs so a compromised cert will have less impact. Google could conceivably, if their organization allows it, actually sign the certs for their sites directly with the root.

  2. Daggerchild Silver badge


    Which other equivalent-level entities run their own CA's? Microsoft? Oracle? IBM? Amazon?

    1. Naselus

      Re: Curiosity.

      Only Microsoft, from that list (they run 2, IIRC). Depends what you mean by 'equivalent-level'; if you mean private companies, a couple of dozen. If you mean big tech companies, just MS really.

      1. Ol' Grumpy

        Re: Curiosity.

        I assume Lenovo (Superfish) don't count then? ;-)

      2. lukegb

        Re: Curiosity.

        Amazon have been in the CA game for a short time now - since mid 2015-ish: &

  3. Anonymous Coward
    Big Brother

    All ur certs r belong to us

    One CA to rule them all, and in the matrix bind them.

    I'm off to install HTTP Everywhere. At least I won't have a false sense of security.

  4. bombastic bob Silver badge
    IT Angle

    maybe THAT is why the NEW browser cert warnings?

    as I understand it, chrome (and now firefox) have extra big/loud security warnings regarding certs, now. Not sure what they look like, but it's interesting timing, right?

    Let's hope you can STILL load your own root cert for self-signed stuff in perpetuity, or is there going to be another TOLL BOOTH in the future for the small-time developer and experimenter?

  5. Anonymous Coward
    Anonymous Coward

    This should make

    Man in the middle data slurping much easier if they open this to the public.

  6. Anonymous Coward
    Anonymous Coward

    Just another data gathering vector

    see title.

  7. ComedyIsn'tPretty

    Poor Certificate Practices

    Google = Up to 4 DAYS to update OCSP, Up to 1 WEEK to update the CRL.

    This is not reasonable when Symantec does less than 5 minutes for OCSP and daily for CRL.

  8. brotherelf
    Black Helicopters

    Cui bono?

    Some things spring to mind... I foresee the G will, in an effort to "increase internet security", plop a new kind of certificates on the general public, beyond EV, which miraculously be supported by G CA and Chrome (and nothing else) from day 0. Hell, if they're audacious enough, they'll limit federated login (do they even still do OpenAuth etc?) to sites having a cert _they_ trust for your page, so no Turktrust, but also no Let'sEncrypt or Deutsche Telekom. Oh, and of course they want to push their transparency logs, which already, going from past reports, can take up to several days to process, because you know who runs enough servers to make sure they dominate those cryptoledgers and get their certs in on the fast lane.

    The amount of long game the G plays is scary, better stockpile tin foil.

    1. Jon Bright

      Re: Cui bono?

      You realise that Google's Chrome is a platinum-level sponsor of Let's Encrypt?

  9. batfastad

    HTTPS everywhere!

    HTTPS everywhere! Well, to the edge anyway. Behind the load balancers? Ahem.

  10. Drew 11

    No we know why they refuse to bake DANE into Chrome.

    Total control over minions.

  11. tr1ck5t3r

    Consuming other peoples encrypted data makes it harder for the spooks to crack unless there is "depth" much like we saw with Heil Hitler being used repeatedly during WW2 messages, and it also makes it easier for said companies to hack their user's but also an attractive attack vector's for hackers. Question is, will Google have someone on standby ready to enter the password at a moment's notice when their root certificate server needs rebooting? SSL/TLS is not that secure unless you have to enter the password and keyloggers are not installed on the system.

  12. Mike007 Bronze badge

    If you can't be bothered with all that procedural stuff and the auditing nonsense, just buy an existing cert and you can skip it all and just start issuing your own certs straight away!

  13. Kay Burley ate my hamster

    Now perfectly positioned

    Google are now perfectly positioned to lead the legal fight against Trump's encryption backdoor ideas.

  14. Ramazan

    GlobalSign R2 and R4 bought by Google? Thanks for reporting this, I'm going to remove them from browser "trusted" list immediately.

  15. Nat C.

    Wonder if this means they'll support HTTPS on Google Sites on a Google Domain now.


  16. hellwig

    Holy Shit!

    Ok, I know this is an old thread, but did anyone else notice at the time that Google's becoming a root CA coincided with their removal of the certification details link from the little lock icon in Chrome? Now, to my eye, this was because they have every intention of instituting a wide policy of MITM attacks. And what easier way than to show a green "all is good" lock icon, and then hide that fact that the "Trusted" authority signing that certificate is none other than Google themselves!

    Yes, you can still view the certificate information, after a long series of clicks. This seems too related to be mere coincidence!

    Of course, this is being obfuscated by my own employers MITM attacks "for security reasons". Good lord, the internet is falling apart!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like