nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Google launches root certificate authority

Facepalm

The biggest self signed certificate in the world, then?

30
0
Anonymous Coward

Yes, to better intercept you with. You're now not going to notice an MITM attack if Google is helping..

Dang, yet another thing to monitor: my root cert stores. I don't want any website with a Google certificate representing themselves as safe.

11
5
Anonymous Coward

Much bigger than the biggest of self signed certs. A root cert means that you trust all of the unlimited number of certs it has and will ever sign. However as you almost certainly already have 50+ root certs in your browsers root cache that you have given this level of trust (normally by trusting your browser supplier) one more is not so significant, particularly so as you sort of know who Google is unlike some of the other certificate authorities we have blindly chosen to trust.

6
0
Silver badge

Blindly CHOSEN to trust?

No one chose to trust all those, Microsoft, Mozilla and Google did, and embedded the list in our browser's default install.

5
0
Anonymous Coward

Re: Blindly CHOSEN to trust?

Well you can remove root certs them from your root cache if you don't trust them, but you do trust them because Microsoft, Mozilla and Google did. Trusting something because someone else does is transitive trust. Some would call it blind trust which is particularly apt as very few people even know that the root cert cache in their browser exists let alone looks at it.

4
0
Bronze badge

Uhm, all root certs are self-signed.

And it's not the actual root cert that will be used for their sites. It'll be kept very much offline (HSM in a vault/safe, probably), or else they would be very much in violation of any established rules for CAs.

At most this will result in a shorter certificate chain. Usually CAs just sign a couple intermediary certs with their root and then use them to issue certs so a compromised cert will have less impact. Google could conceivably, if their organization allows it, actually sign the certs for their sites directly with the root.

0
0
Anonymous Coward

google authentication

is there a way to get ssl ca without going thru a thrid party that wants to charge u for the cert so ur security is not freaking out ?

0
0
Bronze badge

Re: google authentication

No, unless you have some magic ability to get your root cert into the major browsers without spending a lot of money. Which you probably don't.

However, there are CAs that issue certs for free. Lets Encrypt ( http://www.letsencrypt.org ) being the standard one.

0
0
Silver badge

Curiosity.

Which other equivalent-level entities run their own CA's? Microsoft? Oracle? IBM? Amazon?

1
0
Silver badge

Re: Curiosity.

Only Microsoft, from that list (they run 2, IIRC). Depends what you mean by 'equivalent-level'; if you mean private companies, a couple of dozen. If you mean big tech companies, just MS really.

1
1
Coat

Re: Curiosity.

I assume Lenovo (Superfish) don't count then? ;-)

5
0

Re: Curiosity.

Amazon have been in the CA game for a short time now - since mid 2015-ish: https://www.amazontrust.com/repository/ & https://bugzilla.mozilla.org/show_bug.cgi?id=1172401

0
0
Bronze badge
Big Brother

All ur certs r belong to us

One CA to rule them all, and in the matrix bind them.

I'm off to install HTTP Everywhere. At least I won't have a false sense of security.

6
0
Silver badge
IT Angle

maybe THAT is why the NEW browser cert warnings?

as I understand it, chrome (and now firefox) have extra big/loud security warnings regarding certs, now. Not sure what they look like, but it's interesting timing, right?

Let's hope you can STILL load your own root cert for self-signed stuff in perpetuity, or is there going to be another TOLL BOOTH in the future for the small-time developer and experimenter?

0
0
Anonymous Coward

This should make

Man in the middle data slurping much easier if they open this to the public.

0
2
Anonymous Coward

Just another data gathering vector

see title.

4
0

Poor Certificate Practices

https://static.googleusercontent.com/media/pki.goog/en//GTS-CP-1.0.pdf

Google = Up to 4 DAYS to update OCSP, Up to 1 WEEK to update the CRL.

This is not reasonable when Symantec does less than 5 minutes for OCSP and daily for CRL.

0
0
Black Helicopters

Cui bono?

Some things spring to mind... I foresee the G will, in an effort to "increase internet security", plop a new kind of certificates on the general public, beyond EV, which miraculously be supported by G CA and Chrome (and nothing else) from day 0. Hell, if they're audacious enough, they'll limit federated login (do they even still do OpenAuth etc?) to sites having a cert _they_ trust for your page, so no Turktrust, but also no Let'sEncrypt or Deutsche Telekom. Oh, and of course they want to push their transparency logs, which already, going from past reports, can take up to several days to process, because you know who runs enough servers to make sure they dominate those cryptoledgers and get their certs in on the fast lane.

The amount of long game the G plays is scary, better stockpile tin foil.

3
1

Re: Cui bono?

You realise that Google's Chrome is a platinum-level sponsor of Let's Encrypt?

0
0

HTTPS everywhere!

HTTPS everywhere! Well, to the edge anyway. Behind the load balancers? Ahem.

2
0

No we know why they refuse to bake DANE into Chrome.

Total control over minions.

2
0
Bronze badge

Consuming other peoples encrypted data makes it harder for the spooks to crack unless there is "depth" much like we saw with Heil Hitler being used repeatedly during WW2 messages, and it also makes it easier for said companies to hack their user's but also an attractive attack vector's for hackers. Question is, will Google have someone on standby ready to enter the password at a moment's notice when their root certificate server needs rebooting? SSL/TLS is not that secure unless you have to enter the password and keyloggers are not installed on the system.

0
0

If you can't be bothered with all that procedural stuff and the auditing nonsense, just buy an existing cert and you can skip it all and just start issuing your own certs straight away!

0
0

Now perfectly positioned

Google are now perfectly positioned to lead the legal fight against Trump's encryption backdoor ideas.

0
0
Bronze badge
Pint

GlobalSign R2 and R4 bought by Google? Thanks for reporting this, I'm going to remove them from browser "trusted" list immediately.

1
0

Wonder if this means they'll support HTTPS on Google Sites on a Google Domain now.

No/T

0
0
Bronze badge

Holy Shit!

Ok, I know this is an old thread, but did anyone else notice at the time that Google's becoming a root CA coincided with their removal of the certification details link from the little lock icon in Chrome? Now, to my eye, this was because they have every intention of instituting a wide policy of MITM attacks. And what easier way than to show a green "all is good" lock icon, and then hide that fact that the "Trusted" authority signing that certificate is none other than Google themselves!

Yes, you can still view the certificate information, after a long series of clicks. This seems too related to be mere coincidence!

Of course, this is being obfuscated by my own employers MITM attacks "for security reasons". Good lord, the internet is falling apart!

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing