Most of your internet connections are encrypted these days. To make this work, browsers and any other software connecting to the internet need a reliable list of trusted certificates that make it possible to exchange a key and establish a secure connection. That’s where so-called root certificate stores or programs come in. These stores offer a list of trusted certification authorities. Only if a website’s certificate is issued by one of those will it be trusted. And now, Google has announced that it will start shipping its own root store with Chrome 105 — much like Mozilla has always done for Firefox.
Historically, Chrome has relied on the underlying operating system’s root store on desktop, be it macOS, Windows, or Linux. While this strategy is fine from a security perspective, it can lead to inconsistent Chrome behavior across different operating systems. You might never notice much of a problem with that, but it can be an issue for web developers at times. Mozilla tackled this potential problem early by shipping Firefox with its own root store, all while accounting for OS level security guidelines and virus scanners.
Just like Mozilla’s approach, Google’s new root store allows the company to become independent of an operating system, and it also has the benefit that Google gets a say in the business of certification issuing. With the launch of its program, Google wants to “work alongside CA owners to define and operationalize the next generation of the Web PKI.” Web PKI is short for public key infrastructure and is the all-encompassing term for what we’ve been talking about here — the set of rules and policies that connected devices follow in order to establish trust between each other.
With Google’s push into the public key infrastructure, the company wants to help make the certification process both easier, more automatic, less error-prone, and more streamlined. The promises are certainly noble, but they are also a sign that Google is further tightening its grip on the open web. After all, most popular browsers other than Firefox and Safari are already based on Google’s Chromium engine, giving it a market share of well over a third. This means that new technologies usually have to receive Google’s blessing to make it. Thus, this could also have implications for the web certification infrastructure.
Mozilla explains in a blog post that Firefox and Thunderbird have been using the company’s own root store since their inception. Mozilla deems its approach an important pillar for the open-source web community, as the open source nature of its root store makes it a part of many other open projects, like Linux distributions. Just like Google, Mozilla also hopes to provide a consistent Firefox experience across different operating systems with its root store, all while further promoting and advancing the free and open web. After all, setting up and running a root store is expensive, and Mozilla thinks the project is well worth it given what advantages it brings to other open-source projects.
As ZDNet covered after Google’s initial announcement that it’s working on a root store in 2020, the idea isn’t universally loved. System and IT administrators were up in arms, saying that a new root store list to manage would just add more overhead. In this year’s blog post, Google said that its root store will respect the operating system’s custom certificates, so this shouldn’t be much of an issue.
Google is gradually rolling out its root store to Chrome 105 on Mac and Windows. If you’re a developer interested in getting a head start with it, you can follow Google’s instructions on how to enable it before it automatically rolls out to you. If you’re just someone who uses their browser for work or leisure, you probably won’t notice much of a difference, though. Google promises a smooth transition between its own root store and the one provided by your operating system.
#Google #Chrome #takes #Firefox #root #certificate #store