Google is planning to follow in Mozilla’s footsteps as the search giant has announced plans to run its own certificate root program/store for its Chrome browser.
While operating systems and applications use a “root program” or “root store” to verify the identity of software during installation, Chrome and other web browsers use root stores to ensure that HTTPS connections are valid. They do this by examining a website’s TLS certificate to determine whether the root certificate used to generate it is included in a local root program/store.
Unlike Mozilla Firefox which includes its own root store, Chrome has been configured since its launch in 2009 to use the root store of the operating system it is currently running on. So on Windows machines Chrome checks a site’s TLS certificate against the Microsoft Trusted Root Program and on macOS devices the browser does so using the Apple Root Certificate program.
In the future though, Google’s web browser will use its own root store to determine whether HTTPS connections are valid.
Chrome Root Program
In a new post on the The Chromium Project’s webpage, Google has revealed its plans to create its own root store called the Chrome Root Program. The new root store will eventually ship with all versions of Chrome though it won’t be coming to Chrome for iOS.
At this time, the program appears to be in its early stages and Google has not yet provided a timeline for when the Chrome Root Program will go live. However, the company has published rules for Certificate Authorities (CAs), which issue TLS certificates for websites, so that they can be ready when the time comes. Google provided more guidance for CAs in its post announcing the Chrome Root Program, saying:
“As this transition occurs, CAs should continue to work with the relevant vendors of operating systems where Chrome is supported to additionally request inclusion within their root certificate programs as appropriate. This will help minimize any disruption or incompatibilities for end users, by ensuring that Chrome is able to validate certificates from the CA regardless of whether it is using the Chrome Root Store or existing platform integrations.”
By introducing its own root store, Google will be able to provide a more consistent experience and common implementation across all of the platforms its browser supports. Chrome’s security team will also be able to step in and ban CAs that aren’t following the rules more quickly.
social experiment by Livio Acerbo #greengroundit #techradar https://www.techradar.com/news/google-chrome-has-stolen-an-important-security-feature-from-its-rival/