A thing I wish more people in IT would understand:

The fact that browsers come with their own lists of trusted root CAs and the poor UX around managing CA trust is a big problem because it centralizes that trust.

It means that in practice who you trust on the web is decided by your browser vendor – it means that for the majority of humanity gets to decide who is trustworthy and who isn't.

The question is: Do we want to trust an entity whose modus operandi is surveillance capitalism and which is liable to state pressure to do this right?

Show thread

@phryk @mherrb The statement that Google decides which CAs are trusted (because Chrome us the most widely used browser) is based on which technical facts? You don‘t mention any reasoning or facts to back that up. It‘s only claim so far which is why I‘m asking for the reason(s).

@MacLemon @phryk Here's my understanding of the issue, that made me boost the initial toot:

There is no transparency on how the decisions to include or not a CA in the browser's trust list are made.

And Google has just the most weight inside the CAB forum.
So lacking information, the best we can do is assume that this is controlled by Google.


Google is in control of chrome and thus in control of the bundled list of trusted root CAs, I Idon't see how this is in any way confusing.

Also, Google trying to get hegemony over the web isn't exactly new anyhow – they got the majority market share, they got the W3C and they sponsor over 50% of Mozilla, which is basically the only "competition".


@phryk @mherrb
Your claim is confusing because
Chrome uses the OS to verify trust. (Verified with Windows, macOS, iOS, BSD)

Even applies to Android, though the OS there comes from Google but still.

Chrome does not come with its own separate trust store unlike Mozilla does with Firefox and Thunderbird.

I only see CRLsets which are something entirely different.

@MacLemon @phryk Ok so after some more research it seems that the list of trusted CA for chrome on Linux and BSD do come from from the nss (or nss3) package, which is controlled by Mozilla, not Google. You're right.
Interesting. But I don't trust the Mozilla foundation much more than Google.
Why not use the real OS list from /etc/ssl (or /etc/pki) ?

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!