A thing I wish more people in IT would understand:
The fact that browsers come with their own lists of trusted root CAs and the poor UX around managing CA trust is a big problem because it centralizes that trust.
It means that in practice who you trust on the web is decided by your browser vendor – it means that for the majority of humanity #Google gets to decide who is trustworthy and who isn't.
There is no transparency on how the decisions to include or not a CA in the browser's trust list are made.
And Google has just the most weight inside the CAB forum.
So lacking information, the best we can do is assume that this is controlled by Google.
Google is in control of chrome and thus in control of the bundled list of trusted root CAs, I Idon't see how this is in any way confusing.
Also, Google trying to get hegemony over the web isn't exactly new anyhow – they got the majority market share, they got the W3C and they sponsor over 50% of Mozilla, which is basically the only "competition".
Even applies to Android, though the OS there comes from Google but still.
Chrome does not come with its own separate trust store unlike Mozilla does with Firefox and Thunderbird.
I only see CRLsets which are something entirely different.
@MacLemon @phryk Ok so after some more research it seems that the list of trusted CA for chrome on Linux and BSD do come from libnssckbi.so from the nss (or nss3) package, which is controlled by Mozilla, not Google. You're right.
Interesting. But I don't trust the Mozilla foundation much more than Google.
Why not use the real OS list from /etc/ssl (or /etc/pki) ?
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!