Cory DoctorowToday's threads (a thread)
Inside: When Facebook came for your battery, feudal security failed; and more!
Archived at: https://pluralistic.net/2023/02/05/battery-vampire/
1/
kurtseifried (he/him)@pluralistic So I need to write this up properly, but TL;DR: this is also coming to Google Chrome in the form of Root Server Certificates, you/your platform won't get to choose anymore, Google will to ensure a "consistent experience across platforms". It's also not clear if you'll be able to modify it easily moving forwards (I assume it will still be possible, but it might get setup as an Enterprise-only feature based on their current language): https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#can-you-help_i_m-experiencing-problems https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled
CautionWIP 🎃+🇨🇦+🏳️🌈= 
@kurtseifried @pluralistic I’ve been out of the cert sector for some time so forgive my uncertainty, but does this mean anybody using a non-paid version of Chrome or chrome-based browsers will be restricted (by default, I’m assuming they’ll still allow “let me see the site anyways”) to Google-approved certifiers for https connections? The which, I’m guessing, do not include things like self-signed or letsencrypt?
@cautionwip @pluralistic No, Google's current root store is basically the same as Mozilla/Microsoft/Apple (~140 root certs representing ~90 orgs). Google is in the CCADB.org so chances are the Google Chrome root store will stay generally in line with the platforms it runs on, but of course, there's no guarantee of that. I suspect this is one of those "it reduces support hassle for us because all instances of chrome* have the same cert store" (*except for iOS where Apple doesn't allow it)
@kurtseifried @pluralistic I’m definitely missing the end-user (or really developer implications of this change) then. Mind giving a précis of why this particular announcement is relevant aside from expanding the speed and reach of changes (like revocation) made by Google to their root store? Or was it the “preemoting support engagement” costs in those eventualities?
@cautionwip @pluralistic People who rely on other CA hierarchies will have to install them into the Chrome browser, as opposed to installing them on the platform which then all browsers (well-behaved ones anyways) use. You now have to manage certs through Chrome and not your existing platform tools. And you'll get new certs in updates, some places use allow lists and don't just insert new certs willy-nilly. Also, what is the process for Google to add CAs? It's not public/transparent AFAIK.
@kurtseifried @pluralistic Gotcha. I read it as them removing that option ( adding a local root) for non-enterprise versions