The biggest self signed certificate in the world, then?
Google has launched its own root certificate authority. The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services. "As we look forward to the evolution of both the web and our own …
Yes, to better intercept you with. You're now not going to notice an MITM attack if Google is helping..
Dang, yet another thing to monitor: my root cert stores. I don't want any website with a Google certificate representing themselves as safe.
Much bigger than the biggest of self signed certs. A root cert means that you trust all of the unlimited number of certs it has and will ever sign. However as you almost certainly already have 50+ root certs in your browsers root cache that you have given this level of trust (normally by trusting your browser supplier) one more is not so significant, particularly so as you sort of know who Google is unlike some of the other certificate authorities we have blindly chosen to trust.
Blindly CHOSEN to trust?
No one chose to trust all those, Microsoft, Mozilla and Google did, and embedded the list in our browser's default install.
Re: Blindly CHOSEN to trust?
Well you can remove root certs them from your root cache if you don't trust them, but you do trust them because Microsoft, Mozilla and Google did. Trusting something because someone else does is transitive trust. Some would call it blind trust which is particularly apt as very few people even know that the root cert cache in their browser exists let alone looks at it.
Uhm, all root certs are self-signed.
And it's not the actual root cert that will be used for their sites. It'll be kept very much offline (HSM in a vault/safe, probably), or else they would be very much in violation of any established rules for CAs.
At most this will result in a shorter certificate chain. Usually CAs just sign a couple intermediary certs with their root and then use them to issue certs so a compromised cert will have less impact. Google could conceivably, if their organization allows it, actually sign the certs for their sites directly with the root.
is there a way to get ssl ca without going thru a thrid party that wants to charge u for the cert so ur security is not freaking out ?
Re: google authentication
No, unless you have some magic ability to get your root cert into the major browsers without spending a lot of money. Which you probably don't.
However, there are CAs that issue certs for free. Lets Encrypt ( http://www.letsencrypt.org ) being the standard one.
Which other equivalent-level entities run their own CA's? Microsoft? Oracle? IBM? Amazon?
Only Microsoft, from that list (they run 2, IIRC). Depends what you mean by 'equivalent-level'; if you mean private companies, a couple of dozen. If you mean big tech companies, just MS really.
I assume Lenovo (Superfish) don't count then? ;-)
Amazon have been in the CA game for a short time now - since mid 2015-ish: https://www.amazontrust.com/repository/ & https://bugzilla.mozilla.org/show_bug.cgi?id=1172401
All ur certs r belong to us
One CA to rule them all, and in the matrix bind them.
I'm off to install HTTP Everywhere. At least I won't have a false sense of security.
maybe THAT is why the NEW browser cert warnings?
as I understand it, chrome (and now firefox) have extra big/loud security warnings regarding certs, now. Not sure what they look like, but it's interesting timing, right?
Let's hope you can STILL load your own root cert for self-signed stuff in perpetuity, or is there going to be another TOLL BOOTH in the future for the small-time developer and experimenter?
This should make
Man in the middle data slurping much easier if they open this to the public.
Just another data gathering vector
Poor Certificate Practices
Google = Up to 4 DAYS to update OCSP, Up to 1 WEEK to update the CRL.
This is not reasonable when Symantec does less than 5 minutes for OCSP and daily for CRL.
Some things spring to mind... I foresee the G will, in an effort to "increase internet security", plop a new kind of certificates on the general public, beyond EV, which miraculously be supported by G CA and Chrome (and nothing else) from day 0. Hell, if they're audacious enough, they'll limit federated login (do they even still do OpenAuth etc?) to sites having a cert _they_ trust for your page, so no Turktrust, but also no Let'sEncrypt or Deutsche Telekom. Oh, and of course they want to push their transparency logs, which already, going from past reports, can take up to several days to process, because you know who runs enough servers to make sure they dominate those cryptoledgers and get their certs in on the fast lane.
The amount of long game the G plays is scary, better stockpile tin foil.
Re: Cui bono?
You realise that Google's Chrome is a platinum-level sponsor of Let's Encrypt?
HTTPS everywhere! Well, to the edge anyway. Behind the load balancers? Ahem.
No we know why they refuse to bake DANE into Chrome.
Total control over minions.
Consuming other peoples encrypted data makes it harder for the spooks to crack unless there is "depth" much like we saw with Heil Hitler being used repeatedly during WW2 messages, and it also makes it easier for said companies to hack their user's but also an attractive attack vector's for hackers. Question is, will Google have someone on standby ready to enter the password at a moment's notice when their root certificate server needs rebooting? SSL/TLS is not that secure unless you have to enter the password and keyloggers are not installed on the system.
If you can't be bothered with all that procedural stuff and the auditing nonsense, just buy an existing cert and you can skip it all and just start issuing your own certs straight away!
Now perfectly positioned
Google are now perfectly positioned to lead the legal fight against Trump's encryption backdoor ideas.
GlobalSign R2 and R4 bought by Google? Thanks for reporting this, I'm going to remove them from browser "trusted" list immediately.
Wonder if this means they'll support HTTPS on Google Sites on a Google Domain now.
Ok, I know this is an old thread, but did anyone else notice at the time that Google's becoming a root CA coincided with their removal of the certification details link from the little lock icon in Chrome? Now, to my eye, this was because they have every intention of instituting a wide policy of MITM attacks. And what easier way than to show a green "all is good" lock icon, and then hide that fact that the "Trusted" authority signing that certificate is none other than Google themselves!
Yes, you can still view the certificate information, after a long series of clicks. This seems too related to be mere coincidence!
Of course, this is being obfuscated by my own employers MITM attacks "for security reasons". Good lord, the internet is falling apart!