Chrome is getting its own set of Certificate Authority roots

December 14, 2020

The news of the semi-recent time interval is that Google has decided that Chrome will have its own program to decide what CA root certificates it trusts, the Chrome Root Program. Up until this decision, Chrome has mostly or entirely used the system root certificate store, at least on Windows and macOS. This has made it the odd browser out among the four remaining major browsers; Firefox uses its own CA root set, while Safari and Microsoft Edge are basically co-developed with their OSes and presumably have major input on what is in the macOS and Windows CA root sets.

(The exception is Chrome on iOS, where Google is forced to use the iOS root store because of how all web browsers have to operate there.)

Google is operating this root program independently of Mozilla, but will apparently be reusing parts of the work Mozilla does in public for Firefox's CA root program. This isn't really surprising; each project can be expected to make decisions that fit its particular circumstances. In practice I would expect major CA root certificates to be in both programs unless something terrible happens, such as a CA probably needs to be de-trusted.

There is one important but non-obvious consequence of Chrome's shift here. Like Mozilla, the Chrome Root Program specifically requires CAs to report incidents to Google; failure to report can result in removal from the Chrome Root Program and thus your certificates stopping working in Chrome. In the past, CAs might have decided to play fast and loose with Mozilla's reporting requirements, on the grounds that Firefox is a small percentage of the browser market and they could let it slide. Chrome has more influence and power here and so represents a bigger stick.

(Apple and Microsoft probably have reporting requirements, but I suspect they are less hard-assed about it than Mozilla is. I suspect Chrome is going to be as hard-assed as Mozilla is.)

Another possible effect is on Android in the future. My understanding is that these days, Chrome is updated on Android devices independently of the Android OS version. Since Chrome will now pull in its own set of CA roots, it presumably won't have to care about whether or not Android's set of roots are out of date (generally because the device is using an old Android because it doesn't get updates any more). Since we're facing an impending doom of this, I can understand Chrome wanting to mitigate this as fast as possible.

(There's also the delicate issue of not trusting old versions of OS provided TLS libraries to do certificate verification properly in a world of cross signed certificates, multiple certificate chains, and so on. We saw a bunch of problems with that in the AddTrust External CA Root expiry. The more you roll your own TLS certificate verification code, as Chrome is doing, I suspect that the more you want to control CA root certificates and the data you keep about them.)

Written on 14 December 2020.
« My views on the suitability of CentOS Stream
In Prometheus, it's hard to work with when metric points happened »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 14 01:38:01 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.