Mastodawn

@dangillmor I think this is probably a relief. Google owning Chrome is awful, but anyone else buying it is even worse. A successful antitrust action would have put *Chromium* under a foundation outside Google's control and forced them to keep shipping Chrome based on that, with no control of the upstream. Not handed it over to someone with a worse mandate to monetize.

Matt Garber Sep 3, 2025

@dalias @dangillmor Bingo. I still trust Google’s developer and security teams on Chrome (and by extension, Chromium) far more than any of the trial balloon offers floated by “serious” suitors. Better stewardship under *OpenAI*? No thanks.

@matt_garber @dalias @dangillmor So I have to express that if you think Google is good at security you are wrong. So wrong, I would argue Google fundamentally *doesn't understand* security. We literally straight up ban Chrome at the office.

twifkak Sep 3, 2025

@ocdtrekkie @matt_garber @dalias @dangillmor Can you explain why you think Chrome doesn't understand security? Specific examples of failure, or a general sense, or...?

@twifkak @matt_garber @dalias @dangillmor So specifically with Chrome, Google constantly pushes new APIs which enable malware and fingerprinting, over half of which other browsers consider actively harmful. Most of good security is disabling about half of the "features" Chrome has shoved into web browsers. Notifications API, WebUSB, etc. Meanwhile they pioneered removing the EV indicator because Google is committed itself to misunderstanding SSL security.

@ocdtrekkie @twifkak @matt_garber @dangillmor Removing EV indicator was good. EV was nothing but a vector for deceiving users. One of these two things must inherently be true:

Either you have to be sufficiently big to play (pro-monopolist), or

Anyone can setup a scam company with a name sufficiently close to some company users trust and get an EV issued to that name to deceive users that they're trustworthy.

@dalias @twifkak @matt_garber @dangillmor This is false. And even Google has admitted it in a backwards way but they're too committed to their doctrine to publicly admit EV is necessary. BIMI requires the "Verified Mark Certificate" in Gmail which is just "EV but we can't admit we were wrong".

@ocdtrekkie @twifkak @matt_garber @dangillmor BIMI is likewise bad. For the exact same reasons.

The only reason they insisted on doing something so ridiculous was that they previously made the decision to *hide the actual sender address* and only show a freeform text field the sender sets to anything they want.

Email clients should never show the sender name, only the raw email address, unless the name is in your address book matching the address.

@dalias @twifkak @matt_garber @dangillmor Why is BIMI bad? It's not. VMC and EV are the only things that actually approach a useful purpose for the entire WebPKI nonsense. Because while there may be holes worth shoring up they put a huge practical dent in the problem of enabling users to trust a message.

And it's important that you recognize that an example edge case is not important: They are practically extremely effective: Malicious use is basically zero.

@dalias @twifkak @matt_garber @dangillmor EV is an incredible example of the problem with the way Google thinks about security because it was real world effective but someone could at significant expense create a single test example where it was fooled and therefore is bad, but Google constantly pushes concepts that are cryptographically secure but provide no human security and are easy for bad actors to exploit with social engineering.

@ocdtrekkie @twifkak @matt_garber @dangillmor EV is an example of security-through-trusting-authority. Which is the exact same badness Google is always pushing.

ocdtrekkie

@dalias @twifkak @matt_garber @dangillmor Has an EV cert *ever* been used maliciously? Like not in a test case but for actual abuse?

The trusting authority part is sort of useful, if we insist on having CAs at all, but the funny part is the most useful part of EV is the part of TLS modern organizations want to eliminate: Cost. Cost is why EV is basically a guaranteed indicator you've landed on a safe site.

@ocdtrekkie @twifkak @matt_garber @dangillmor Yes, they have. I don't have receipts readily available and Google is broken and won't find them, but it's happened.

However, there are two sides to the malice of EV. One is lending trust to scammers who get an EV cert to exploit trust. The other is the harm to everyone who doesn't pay the EV racket, when users who don't understand wonder why the browser UI shows them as "less secure".

@dalias @twifkak @matt_garber @dangillmor I don't need to verify the real world identity of every blog site I'm viewing. I do think EV-to-flesh-and-brick should be required for anything approaching a payment transaction. And that for anyone legitimately conducting a payment transaction, EV is a minimal effective cost.

@ocdtrekkie @twifkak @matt_garber @dangillmor Um, most payment transactions are with parties I absolutely do not expect to dox themselves to be able to recive payment.

I do not see how you can call yourself a "privacy advocate" and yet claim every payment transaction should require an EV certificate. 🤦

Aside from that, payment transactions are low-stakes, lowest-possible even. If they're fraudulent the payment processor reverses them.