Micro Focus is now part of OpenText. Learn more >

You are here

Home/Security/Application Security

You are here

Home/Security/Application Security
Nov 5, 2020
Security Blogwatch

Who you gonna trust? Not your default CA root store, says Chrome

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Your humble blogwatcher, dba RJA
TRUST
 

Chrome will stop using the underlying OS’s store of trusted root certificate authorities. Google’s going to DIY it.

La GOOG thinks it can do a better job of weeding out untrustworthy CAs. But the plan obviously risks duplication of effort and frustration among IT and DevOps communities.

Standard is better than “better,” as the old saying goes. In this week’s Security Blogwatch, we read widespread distrust of Google’s Chrome Root Program.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Canadian elections.

In GOOG we trust

What’s the craic? Catalin Cimpanu reports—Chrome will soon have its own dedicated certificate root store:

In a major architectural shift for the company's web browser … Google announced plans to create its own root store, named the Chrome Root Program, that will ship with all versions of Chrome, on all platforms, except iOS. … Since its launch in late 2009, Chrome was configured to use the root store of the underlying platform. For example, Chrome on Windows checked a site's TLS certificate against … the root store that ships with Windows.

There is no timeline of when Chrome will transition from using the OS root store to its own internal list. For now, Google maker has published rules for Certificate Authorities (CAs). … The browser maker is urging CAs to read the rules and apply to be included … to ensure a seamless transition.

This approach of packing the root store inside a browser rather than use the one provided by the underlying OS … is what Mozilla has been doing for Firefox since its launch. Reasons to do so are many, starting with the ability for Chrome's security team to intervene and ban misbehaving CAs faster.

However … this move is expected to cause friction … in enterprise environments. … Companies like to keep an eye on what certificates are allowed in the root store of their devices.

And Martin Brinkmann adds—Chrome will use its own Root Store:

Chrome uses the operating system's Root Store currently to access Certification Authorities. … The browser uses these to establish secure connections to websites, and to determine the authenticity of a site.

Google has selected a number of Certification Authorities for inclusion in the Transitional Root Store. Some of these were picked based on their reliability and performance in the past … and to minimize compatibility issues.

One of the main reasons for [the change] is to ensure that the same root certificates are available on all platforms the browser is compatible with. [But] the transition to its own Root Store will add more to the workload of administrators.

O RLY? Google’s Chromium gnomes clarify thuswise:

If you’re an enterprise managing trusted CAs for your organization, including locally installed enterprise CAs … no changes are currently planned. … CAs that have been installed by the device owner or administrator into the operating system trust store are expected to continue to work as they do today.

As part of establishing a secure connection, Chrome cryptographically verifies that the website's certificate was issued by a recognized CA. Certificates that are not issued by a CA recognized by Chrome, or by a user's local settings, can cause users to see warnings and error pages.

When Chrome presents the connection to a website as secure, Chrome is making a statement to its users about the security properties of that connection. Because of the CA’s critical role in upholding those properties, Chrome must ensure the CAs … are operated in a consistent and trustworthy manner. This is achieved by referring to a list of root certificates from CAs that have demonstrated why continued trust in them is justified.

Sounds like a great idea. But Alan_Shutko spots the oint in the flyment:

The problem with this is that it increases the number of apps that have their own trust store sitting on the computer. Every installation of Java has one. OpenSSL has one. Firefox has one. Node has one. Other scripting languages have their own. … Each Jetbrains IDE comes with a JVM and thus has its own!

So if you're a … CA, you have the unenviable task of getting your root cert trusted by dozens of different trust stores instead of just having the OS trust it. … And now, Google is just adding to the problem.

TL;DR? A slightly sarcastic Fritzed’s got your back:

With this update, Chrome will no longer use the same operating system root store as every other program on your computer. They will instead include their own entirely redundant root store as a part of the browser itself.

The reasoning for this, like many other Chrome "features", is that Google is no longer capable of distinguishing between a web browser and an operating system.

But surely Google will do a better job? Surely not, thinks apn_k:

Do you think we are going put trust into the same people who can't even police their own extension store which is chock full of malware?

Do we trust Google’s motivation? Anonymous ain’t no coward: [You’re fired—Ed.]

Whoever controls the certificate stores also controls who can add certificates, and who can intercept the encrypted communications, locally or remotely. There’s more at stake … than just “to ensure that the same root certificates are available on all platforms the browser is compatible with.”

Is the current worldwide interception by Cloudflare and similar okay or not okay? Or more directly by … state actors? By a third-party who can add certificates on the machine one uses (employer, school, parents of minors)? By a third-party who can coerce through various means?

Lots of important questions left without much discussion in the hands of the entity that controls the stores.

And granadesnhorseshoes sounds similarly mistrustful:

How long before they get caught bypassing cert-pinning etc for their own CAs? … How long before they start revoking trust from competitors? … Any bets?

TLS is becoming less secure and more security theater by the day as the chain of trust that was already exceedingly dubious gets even more convoluted with more fingers in the pie. … In no case is an end user in any way better off.

The apprentice has become the master. Or so says Quietust:

Firefox has always used its own trusted root store rather than using the one provided by the operating system (unless you turned on a specific hidden setting). Does this mean that Chrome is now copying Firefox for a change?

Meanwhile, speaking of masters, TleilaxuMaster snarks it up:

I wonder if they’ll drop support for it after two years like their other services.

The moral of the story?

Prepare for more Googley hoops to jump through.

And finally

Canada: Where elections are less stressful

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Terry Johnston (cc:by)

Keep learning

Read more articles about: SecurityApplication Security
Twitter Twitter Facebook Watsapp Email share