The federal judge let Google off the hook in the antitrust case that the company supposedly lost. He said no to any serious remedy. And he indirectly killed Mozilla (Firefox and Thunderbird).
A good day for Google, and a terrible day for what's left of the open web.
https://arstechnica.com/gadgets/2025/09/google-wont-have-to-sell-chrome-judge-rules/
@matt_garber where can i read more about these details? the ars technica article was (unsurprisingly) pretty surface level
@ocdtrekkie @dalias @dangillmor I’ll clarify because you’re right that Google certainly contains multitudes.
I believe while it may not be true of everything they ship, that Google also genuinely has world-class security researchers (e.g., Project Zero), engineers on infra, Go devs, and plenty more. I also think it’s reasonable to say that Google has invested a lot in browser sandboxing and other tech over the years, relative to the other engines. Also FWIW, security != privacy wrt Google.
@matt_garber @dalias @dangillmor Well privacy = security, so we're already up a creek... The problem is not that Googlers aren't smart, but that they don't understand the core principles of effective security, which is almost exclusively about humans, not cryptography.
Project Zero is a black hat group sent after companies or projects Google finds inconvenient.
@ocdtrekkie @matt_garber @dangillmor In some senses you're both right. At least among the ones I've met, the Googlers working on browser security are smart and believe they're doing something good for the public, but it's one of those cases where it's hard to see what's wrong with the model you're working in when your paycheck depends on not seeing it. Google's idea of security is very much not aligned with the interests of the public, and the browser team constantly do things required of them by other parts of the company, with poor justifications they're able to convince themselves to believe, that are extremely harmful to security.
I don't really deem them a factor tho in this question. Google's control of the browser is harmful, but anyone else who purchased it would want to get orders of magnitude more harm for the price tag they'd be paying.
@ocdtrekkie @twifkak @matt_garber @dangillmor Removing EV indicator was good. EV was nothing but a vector for deceiving users. One of these two things must inherently be true:
Either you have to be sufficiently big to play (pro-monopolist), or
Anyone can setup a scam company with a name sufficiently close to some company users trust and get an EV issued to that name to deceive users that they're trustworthy.
@ocdtrekkie @twifkak @matt_garber @dangillmor BIMI is likewise bad. For the exact same reasons.
The only reason they insisted on doing something so ridiculous was that they previously made the decision to *hide the actual sender address* and only show a freeform text field the sender sets to anything they want.
Email clients should never show the sender name, only the raw email address, unless the name is in your address book matching the address.
@dalias @twifkak @matt_garber @dangillmor Why is BIMI bad? It's not. VMC and EV are the only things that actually approach a useful purpose for the entire WebPKI nonsense. Because while there may be holes worth shoring up they put a huge practical dent in the problem of enabling users to trust a message.
And it's important that you recognize that an example edge case is not important: They are practically extremely effective: Malicious use is basically zero.
@ocdtrekkie @twifkak @matt_garber @dangillmor Nobody needs to know "site I'm interacting with is a big respected company that gets a green lock". What folks need to know is that the party they're interacting with now is *the same party* they setup a prior relationship with.
None of the authoritarian validation systems do anything to solve this problem.
@ocdtrekkie @twifkak @matt_garber @dangillmor The long-lived identifier you have to know you're dealing with the same party is the *domain name*. That's the whole point of a domain name. The certificate validates that you're communicating with the legitimate owner of the domain name. Whether it's EV or not makes no difference.
Yes there are way this system could be a lot better. But "trust some freeform text field in an EV cert" is so ridiculously worse than "use the domain system the way it was intended".
@dalias @twifkak @matt_garber @dangillmor Has an EV cert *ever* been used maliciously? Like not in a test case but for actual abuse?
The trusting authority part is sort of useful, if we insist on having CAs at all, but the funny part is the most useful part of EV is the part of TLS modern organizations want to eliminate: Cost. Cost is why EV is basically a guaranteed indicator you've landed on a safe site.
@ocdtrekkie @twifkak @matt_garber @dangillmor Yes, they have. I don't have receipts readily available and Google is broken and won't find them, but it's happened.
However, there are two sides to the malice of EV. One is lending trust to scammers who get an EV cert to exploit trust. The other is the harm to everyone who doesn't pay the EV racket, when users who don't understand wonder why the browser UI shows them as "less secure".
@ocdtrekkie @twifkak @matt_garber @dangillmor Um, most payment transactions are with parties I absolutely do not expect to dox themselves to be able to recive payment.
I do not see how you can call yourself a "privacy advocate" and yet claim every payment transaction should require an EV certificate. 🤦
Aside from that, payment transactions are low-stakes, lowest-possible even. If they're fraudulent the payment processor reverses them.
@ocdtrekkie @twifkak @matt_garber @dangillmor LMAO even BIMI Group says:
"BIMI enables brands to have control over the logos displayed with their email. It is important to know that BIMI is not a security solution."
IT IS IMPORTANT TO KNOW BIMI IS NOT A SECURITY SOLUTION.
@ocdtrekkie @matt_garber @dalias @dangillmor Google cares about security, such as secure channels, ever since Snowden. The last thing they want is someone snooping on "their" data, inside or outside their data centres.
Privacy is not a concern, so long as they have power over advertisers.
@dalias @dangillmor After hearing stories of Perplexity considering buying chrome... yeah I am far happier with Chrome staying in Google's space.
Google is also pretty awful for the internet but at least they're mostly interested in exploiting humans to deliver ads and sell data instead of, whatever the hell AI companies think they're trying to accomplish. Google comes off as far less likely to accelerate the Dead Internet vs Perplexity.
@dangillmor I'm not attempting to defend google here, but I've seen two assertions now that Mozilla is going to die without Google funding (which would be absolutely true); but this is straight from the article: "Under the court's ruling, Google will still be permitted to pay for search placement—those multi-billion-dollar arrangements with Apple and Mozilla can continue."
what am I missing? Has google indicated it's going to stop supporting Mozilla? Or was the hope that, if they lost Chrome, they'd end up dumping a lot more money into Firefox?
@dangillmor a few questions:
1) how does this kill mozilla (even if indirectly)? what does thunderbird have to do with google owning chrome?
2) what is the argument for google's ownership of chrome allow it to have a monopoly on search?
3) if google was forced to divest from chrome, who would take those shares?
4) what does all of this mean in relation to google's development efforts on chromium?
Right on! Chrome is a cost center, not a revenue source, afaik.
It's an open source browser ( Chromium ), called Chrome when bundled with Google's snoopware.
I'm asking, not stating here. Someone please explain.
@tad lol
judge: *delivers ruling to mitigate damage to mozilla*
@dangillmor: this ruling kills mozilla
@dangillmor divestiture of Chrome was a horrible proposal for breaking Google's monopoly anyway. As someone elsewhere mentioned in the thread Chrome is a cost center.
Forcing Google to sell off its advertising arm would be better. A lot of decisions that hurt users and customers are driven by making Google's ads more pervasive and more profitable. It would also significantly punish them for their bad behaviour since advertising actually makes Google money.
@allancavanagh @dangillmor well, if Google doesn't have this over their head, why should they carry on funding a competitor as a "look, not a monopoly" artifact?
I think #mozilla might do much better without the torrents of ad and privacy cash from #google ...
Dan Gillmor
Cassandrich
Matt Garber
xyhhx 🔻
ocdtrekkie
twifkak
craignicol
2something
Bee O'Problem 
ferricoxide
Aaron
bws
Ashwin Dixit
Tad Fisher
bananas_pizza
Allan
⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
Tilde Lowengrimm