1. 26
  1.  

  2. 6

    Woah! Did not see this coming. I knew about their intermediary certificates, but I figured they wouldn’t want to go through the hassle of being a root CA as well.

    This raises 2 questions to me:

    • Will they have open this new root CA to the public? Or as an intermediate sub-CA? I don’t expect so, at this moment, though turning around and offering a second ACME implementation could put a check on Let’s Encrypt.
    • The CA/Browser Forum is based on representation of CA and browser vendors. Will Google be on both sides now - reps from Google Trust Services and the Chrome teams? Let’s Encrypt already disrupted the precarious political balance simply by existing; this kind of ability to have 2 votes vs everyone else’s 1 might cause issues too.
    1. 6

      Will they have open this new root CA to the public?

      In Google’s application for inclusion in the Mozilla root store (https://bugzilla.mozilla.org/show_bug.cgi?id=1325532) they say:

      Google is a commercial CA that will provide certificates to customers from around the world. We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing. Customers of the Google PKI are the general public. We will not require that customers have a domain registration with Google, use domain suffixes where Google is the registrant, or have other services from Google.

      Complete guesswork, but I wonder if they’ll provide certificates as part of Google Cloud (like Amazon do).

      Will Google be on both sides now - reps from Google Trust Services and the Chrome teams? Let’s Encrypt already disrupted the precarious political balance simply by existing; this kind of ability to have 2 votes vs everyone else’s 1 might cause issues too.

      This actually already came up after the WoSign fiasco. The majority shareholder in WoSign is Qihoo 360, which is also a member of the CA/B forum as a browser. WoSign/StartCom/Qihoo 360 now only have a single vote (as a browser).

      I imagine that Google will also only have one vote, and they’ll presumably choose to continue voting as a browser.

    2. 7

      Is there any corner of the web they don’t want to seize?

      1. 14

        I don’t see this as them trying to “seize” a corner of the web, but rather Google taking it’s paranoia to the next level. If they can’t ever trust anyone in the system, why not create your own copy of the system that no one else can use? Being able to have perfect security from top to bottom, similar to their recently announced custom chips they put in every one of their servers.

        1. 2

          If they can’t ever trust anyone in the system, why not create your own copy of the system that no one else can use?

          Whom does Google need to trust? Isn’t this more about us trusting Google?

          1. 2

            Google needs to be able to give its customers a solid, secure internet experience. To the extent that there’s spam, fraud, hacking, and theft going on, promulgated by nefarious third parties, they’re motivated to stop or bypass it in order to maintain their position as a trusted middleman and guardian.

            1. 0

              spam, fraud, hacking, and theft going on, promulgated by nefarious third parties, they’re motivated to stop or bypass it in order to maintain their position as a trusted middleman and guardian

              They can fight nefarious third parties just fine without being able to man-in-the-middle everything.

              Besides, no one should trust Google anymore anyway, except to spy the ever-living shit out of you and pass the information to governments.

              Doesn’t “Don’t Be Evil” sound ridiculous to you now? People kept buying that for years and years..

            2. 1

              It is about us trusting Google, but many are speculating this could be motivated by the recent failures of trusted CAs where they issue certs without proper verification. That is a threat to the web as a whole and, since Google is a very significant portion of the web and thus a massive target for these rogue CAs/issuers, concerns Google.

          2. 7

            Look, at the end of the day I just want to use Google Chrome to look up (via Google DNS at 8.8.8.8) and visit google.com, whose identity is verified via Google’s Certificate authority, so I can read read my Google-hosted email and check today’s headlines on Google News, which are written in Google’s AMP markup and served from a Google subdomain.

            Y'know, because I’m a fan of the Open Web.

            1. 5

              Apart from AMP, most of those really are better than 90% of the competition.

              In the case of dns, maybe you can worry that they log your queries, but there’s no guarantee any alternative doesn’t either, and at least they don’t fuck with nxdomain.

              I find the googopoly disheartening, but mostly it’s a failure of others. Google is good at setting what should be a minimum bar for competence by default services. Alas, they are also the gold standard.

              1. 2

                In the case of dns, maybe you can worry that they log your queries, but there’s no guarantee any alternative doesn’t either, and at least they don’t fuck with nxdomain.

                The big difference is that in the case of Other DNS Co, they’re only in a position to log my queries, and not also my browser habits, email contents, news read, terms searched, etc, etc, etc.

                Their products might be better but the surveillance power granted by their increasing centralization is staggering and terrifying.

                1. -1

                  Their products might be better but the surveillance power granted by their increasing centralization is staggering and terrifying

                  And why is Google’s search still the only game in town? What black magic did they pull off in the 00’s that others couldn’t manage in 2017?

                  Wouldn’t lots of people be happy to have a viable alternative? Wouldn’t lots of people be eager to produce one, to get even just a tiny fraction of the money Google makes through ads?

                  But somehow a viable competitor has never emerged, which sure is convenient for surveillance purposes..

                  1. 1

                    What black magic did they pull off in the 00’s that others couldn’t manage in 2017?

                    They didn’t stop working on search in the 00’s. Delivering a competing search engine would require you to compete (at minimum) on:

                    • Search quality (theirs is amazing)
                    • Indexing (GOOG has satellite imagery, cartographic maps, street view, video/image contents, text and user-generated content to work from)
                    • Operations (GOOG reliably responds in a few ms regardless of where you are)

                    All of is going to cost (best case) hundreds of millions of USD.

                    Having done all that, you still have no mobile platform to drive traffic, are not the default browser search (maybe you could pay off firefox/safari) - nobody has any reason to switch.

                    1. 0

                      A competitor could start small with only search and ads around it, just like Google did. -Street View is not part of a “Minimum Viable Search Engine”, as Google itself has proven.

                      Note also that DuckDuckGo got mildly popular mostly just because it promised more privacy, even though their Yahoo-powered search results suck compared to Google’s.

                      And why wasn’t Yahoo able to produce the kind of results Google did say, 10 years ago? Why couldn’t Microsoft? Clearly, it’s not for a lack of resources. It’s not because sufficiently good results would be technically too difficult to produce either.

                      So what else is left, besides some kind of conspiracy?

            2. 2

              Seizing would mean they’re taking this from someone.