In the midst of what seems like a never-ending battle over who is the best, or rather the worst CA authority, Google has announced that it has decided to launch its very own Root Certificate Authority. In the effort to increase its SSL capabilities and build the “Foundation of a more secure web” Google has created what is known as “Google Trust Services”, In which will overlook the issuance of Certificates on behalf of and for Google and Alphabet.
In the Google, Security Blog, Ryna Hust, Googles product manager has written:
“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology,” “This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority.”
In the past few years, we have seen a very strong presence of Google within the SSL industry as they have taken many steps to push for a fully HTTPS internet. In doing so they have changed the google ranking algorithm to prefer HTTPS websites, introduced the Warning pages when a page is not secure as well as starting the industry wide initiative, Certificate transparency. All of these actions, first thought of as a genuine push towards a more secure internet, now very questionable. Now, it’s not clear on whether Google will start their own label of SSL certificates, whether they will sign off Intermediate CA’s to other companies for Certificate Sales or whether this is simply to make issuing their own Certificates easier. However, with the Symantec and Google ordeal late last week, all signs point to a Google Take over.
Google currently operates a subordinate CA Authority which is used to issue their own certificates to websites like Google and YouTube. Currently however that Authority is provided by Geotrust and therefore adds further restriction and issuance times among other things. With Google Trust Services, the company is taking ownership of the highest level in the security structure used to authenticate a website’s identity. Specifically, it is used to sign other subordinate certificates and will give Google the same SSL authority as Geotrust, Symantec, Comodo and GlobalSign to name a few. To speed up the process, Google are purchasing two existing Root Certificate Authorities, GlobalSign R2 and R4, which will allow for independent certificate issuance much sooner then if they had of started their own.
Now…, for a company that holds half of the web browser market share, and therefore has a significant impact on what SSL certificates are trusted, to go and then start their own line of SSL; In my opinion, there’s a definite conflict of interest both within the industry and up against the competition.
To put things into perspective, imagine the only local grocer around sold both branded and their own labeled goods. Imagine if the grocer made absolutely NO profit on any of the branded products they stock, however made FULL profit from their home made products. Eventually what are they most likely to do? Use their power as the grocer to undercut, somewhat sabotage and push out those labelled products that aren’t making any profit in order to completely monopolize the grocery store. Imaging Google as the Grocer and Google Chrome the Store.
Although there is no definite evidence that points towards this. The fact that Google have called out Symantec last week for the incorrect issuance of what was apparently “30,000 Certificates” but is now “Possibly 126 certificates” undoubtedly rings alarm bells. This was without a full investigation, without first notifying Symantec of the issue and by all means was a shot a Symantec.
It’s kind of like those branded cookies that local grocer continually tells me not to buy.