How Traditional CA’s Are Losing Control of Certificates and Possible Reasons Why Chrome Will Have a New Root Store

Sergio de los Santos    16 November, 2020
How Traditional CA's Are Losing Control of Certificates and Possible Reasons Why Chrome Will Have a New Root Store

It’s all about trust. This phrase is valid in any field. Money, for example, is nothing more than a transfer of trust, because obviously we trust that for a piece of paper that is physically worthless, we can get goods and services. Confidence in surfing comes from root certificates. As long as we trust them, we know that our navigation is not being intervened and we can visit and introduce data in websites with certain guarantees. But who should we trust when choosing these root certificates? Do we trust those provided by the browser or those offered by the operating system? Google has made a move and wants to have its own Root Store system.

At First It Was the CAB/Forum

It is the forum of relevant Internet entities (mainly CAs and browsers). It votes and decides on the future of the use of certificates and TLS in general. Or not. Because this year we have seen how a relevant manufacturer has acted independently of the result of a vote and has unilaterally applied its own criteria. In 2019 they voted on whether to reduce the life span of TLS/SSL certificates to one year. The result was no. But it made no difference. The browsers took the floor. In February 2020, Safari unilaterally stated that it would mark certificates created for more than 398 days from 1 September as invalid. Firefox and Chrome followed suit. The vote among the parties involved (mainly CAs and browsers) was useless.

Another example is how Chrome led in a certain way the “deprecation” of the certificates using SHA-1 by being more and more aesthetically aggressive with the validity of these certificates (red blades, alerts…) and sometimes without being aligned with the deadlines set by the CAB/Forum.

Nothing bad really, it should not be misunderstood. Browsers can provide a certain agility in transitions. The problem is that the interests of the certification authorities, with a clear business plan, do not always coincide with those of the browsers (represented by companies with sometimes opposite interests). In the end, it seems that whoever is closest to the user calls the shots. There is no point in CA deciding to issue certificates with a duration of more than one year if the browser used by 60% of users is going to mark them as untrustworthy. Popularity, closeness to the user, is a value in itself that Chrome and others, exploit (as Internet Explorer did in its time) in order to impose “standards”.

The Root Store… Everyone Had Their Own and Now Chrome Wants One

Windows has always had a Root Store with the root certificates it trusts. Internet Explorer, Edge feeds on it…and Apple and Android do exactly the same. The most popular browser with its independent Root Store was Firefox. And this, sometimes, caused problems. In 2016, Firefox was the first to stop trusting WoSign and StartCom because it did not trust their practices. The rest followed immediately. On the other hand, in 2018, Apple, Google and Firefox stopped trusting Symantec certificates. They used traditional blocking (by various means) and not necessarily by stopping to include them in their Root Store.

In general, browsers were moving in this direction. If Edge wanted to stop relying on something, Microsoft would take care of it in Windows. If it was Safari, Apple would remove it from the Root Store Mac and the iPhone. If Chrome wanted to control who to trust, it could do so on Android, but… what about Chrome on Windows, on Mac, iPhone… and Chrome on Linux? That piece was missing from the puzzle and made it dependent on the criteria of a third party.

Now Chrome wants its own Root Store, so it doesn’t have to depend on anyone. In its statement where it defends the movement mainly talking about how this provides homogeneity on the platforms. Not in all of them, because it specially mentions that in iOS this step will be forbidden and therefore Chrome will continue using the root store imposed by Apple. For the rest, it explains its criteria for inclusion as a trusted root certificate (which in principle, are the standards). And that of course it will respond to incidents that undermine trust in the CA.

But why would you want a Root Store? In 2019 Mozilla was once again reminded of why they had always done it and why it was necessary: mainly to “reflect their values” (which others may also translate as “interests”). But apart from the homogeneity that Mozilla also mentions, one sentence in its explanation that hits the nail on the head is: “In addition, OS vendors often serve customers in government and industry in addition to their end users, putting them in a position to sometimes make root store decisions that Mozilla would not consider to be in the best interest of individuals.”. Mozilla does not trust them. It also mentions that the fact that the operating system inserts certificates to analyse traffic in its Root Store (such as the antivirus), it does not affect them. Always putting individual freedoms first, as it did by imposing the DoH and forcing a certain choice between security and privacy.

What about Google’s motivations? Will they be similar? On paper yes, they want homogeneity. But let’s not forget that whoever controls it, as Mozilla subtly reminded us, deciding on the Root Store independently of the operating system also makes it possible to choose who, at any given time, can access the encrypted traffic. Apart from being a headache for the administrator.

So, in the end it seems to be, again, a question of trust… or maybe mistrust? Chrome, once mature and with a great influence on the market, wants us to trust them and their policy of access to the Root Store. This in turn (in the light of the reasons given by Mozilla) … could this not be interpreted as a slight mistrust of the platform where Chrome runs? Is this not a further step in the distancing of the CAs themselves? An attempt, after all, to have more control?

Leave a Reply

Your email address will not be published.