Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Chrome Security IT

Chrome Will Soon Have Its Own Dedicated Certificate Root Store (zdnet.com) 56

Google has announced plans to run its own certificate root program/store for Chrome, in a major architectural shift for the company's web browser program. From a report: A "root program" or a "root store" is a list of root certificates that operating systems and applications use to verify the identity of a software program during its installation routine. Browsers like Chrome use root stores to check the validity of an HTTPS connection. They do this by looking at the website's TLS certificate and checking if the root certificate that was used to generate the TLS cert is included in the local root program/store. Since its launch in late 2009, Chrome was configured to use the "root store" of the underlying platform. For example, Chrome on Windows checked a site's TLS certificate against the Microsoft Trusted Root Program, the root store that ships with Windows; Chrome on macOS relied on the Apple Root Certificate Program; and so on. But in a wiki page, shared with ZDNet by one of our readers, Google announced plans to create its own root store, named the Chrome Root Program, that will ship with all versions of Chrome, on all platforms, except iOS.
This discussion has been archived. No new comments can be posted.

Chrome Will Soon Have Its Own Dedicated Certificate Root Store

Comments Filter:
  • Does this mean (Score:5, Interesting)

    by CastrTroy ( 595695 ) on Monday November 02, 2020 @11:46AM (#60676010)

    Does this mean that presumably we could have a secure version of Chrome for older platforms like Windows XP? I know one of the final things that drove me away from using old Windows XP machines one old hardware I had lying around was the fact that it just couldn't be made secure anymore. Theoretically, if you don't really depend on the OS for anything involving security you could have a browser for older platforms that allowed people to use the web safely while saving old machines from the landfill.

    • Re:Does this mean (Score:4, Insightful)

      by MatthiasF ( 1853064 ) on Monday November 02, 2020 @12:14PM (#60676192)

      Install Linux?

      Such a weird comment. It's 2020 and you'd rather install Windows XP on an old PC than a modern free OS.

      • There is still a lot of software that runs on XP but not on Linux.

        • In that case run XP inside a VM from Linux. Keep snapshots in case anything bad happens.

          • I thought about doing that. Unfortunately, I think the VM overhead will force me to just run 10 directly.

            • Win XP running in Virtualbox is fast even on hardware a decade old.
            • by Zocalo ( 252965 )
              I'm pretty sure that running XP in a VM on Linux is going to be much more responsive on the same hardware than native Windows 10, especially if you have a CPU that has hardware support for virtualization as hypervisor overhead will then typically be just a few percent. Also, quite a few applications that worked on Windows XP simply won't run on Windows 10, even with compatibility modes, so you may end up needing a OS virtualization layer anyway.
            • If you turn on virtualization support in your BIOS, the virtualization overhead is may 1%-2%. If you don't turn that on, qemu has to emulate the CPU. If you turn it in, most instructions run directly on the physical CPU.

              What will likely affect performance more is that modem Linux is better at disk and memory access than XP is, so you'll probably see a slight speed up overall.

          • Comment removed based on user account deletion
            • Grab the 32-bit LTSB 2015 version as a base, then gut it of it of Windows Defender, which can be removed with some judicious permissions changes and the use of 'sc delete'. Then, if you're willing to offline service the OS manually, using DISM to patch it, you can strip out a lot of modern components, including all the automatic updates support. You can do all this by mounting the WIM file and removing all unnecessary system components from it before you install.

              Then, with appropriate unofficial patches
        • Run your application under SysInternals Process Monitor and collect a dump of everything it does. Then, take an entire copy of your XP install, including the registry.

          Next, try to run your app in Wine. Just install or copy it as normal and use winecfy to set the Windows version to XP. If it fails, refer to the SysInternals dump to gradually add native DLLs based on what it touches and add chunks of the registry as necessary. Unless the software relies on some crazy system services, it should work.

          Ol
        • That doesn't seem like a good reason to make XP your daily driver OS. Sure, keep a XP box around to run that software, or run it in a VM. There's little reason to actually browse the internet from a Windows XP machine anymore.

      • by antdude ( 79039 )

        The problem is that some old users have very old hardwares that don't have newer drivers and softwares. :(

    • > Theoretically, if you don't really depend on the OS for anything involving security

      Your operating system can completely replace the installed copy of Chrome with a trojaned version. Every time Chrome makes a network connection - well, it doesn't make a network connection, it asks the OS to make a network connection. The OS handles all network connections. When Chrome wants to download a file, it asks the OS to save the file. Chrome wants to read a file, it asks the OS to read the file for it. Everyt

      • If your OS isn't safe, absolutely no programs running on that OS are safe.

        No general purpose OS is "safe".

        • As most commonly used by consumers, indeed none are secure, for any reasonably usable definition of secure. On the other hand, some are absolute shit shows, some are not. XP is a shit show.

          Linux can be run in configurations that have useful security guarantees, where you can prove useful security properties. (To have provable security properties, the machine must be using mandatory access control (SELinux).

          • Linux can be run in configurations that have useful security guarantees, where you can prove useful security properties. (To have provable security properties, the machine must be using mandatory access control (SELinux).

            No it can't. This is an illusion referenced to an interface rather than an underlying reality.

            • Ya know, the way to be smart is to *learn* from experts.
              The way to remain forever ignorant is to try to pretend to be smart by just saying "no" when somebody is teaching you something. You may feel like you look smart; in reality you look like someone who refuses to learn.

    • Chrome for older platforms like Windows XP?

      Chrome isn't supported for Windows XP. If you have a Windows XP machine on the internet then the SSL certificate store is the least of your concerns.

    • Does this mean that presumably we could have a secure version of Chrome for older platforms like Windows XP?

      None of the third party browsers use the Windows TLS stack. Browsers are able to access operating systems certificate database however ALL the crypto is handled by the browser.

      Theoretically, if you don't really depend on the OS for anything involving security you could have a browser for older platforms that allowed people to use the web safely while saving old machines from the landfill.

      While there are theoretical risks user behavior is way more important than OS selection especially for typical user sitting behind a stealth firewall. Well over 90% of system compromises are executed via social engineering not exploitation of vulnerabilities.

      • > Well over 90% of system compromises are executed via social engineering not exploitation of vulnerabilities.

        In my experience over the last 20 years, most are both, but mostly exploiting software vulnerabilities. User gets a spreadsheet in an email from a known contact. User opens spreadsheet. Vulnerability in Excel allows the document to install malware on the system. Reading a document shouldn't allow a bad guy to take over the *system*.

        Reading office documents is what office computers are *for*. A c

    • No. You can adjust at the certs to XP. XP is not secure because of various bugs in the network stack that are no longer patched.
  • by xack ( 5304745 ) on Monday November 02, 2020 @11:48AM (#60676022)
    Pay for the Chrome cerificate or Chrome will block your site as insecure, including rival browser pages. Google knows anti trust is useless so it will do it soon after the election.
  • by Quietust ( 205670 ) on Monday November 02, 2020 @11:55AM (#60676076) Homepage
    Firefox has always used its own trusted root store rather than using the one provided by the operating system (unless you turned on a specific hidden setting [mozilla.org]). Does this mean that Chrome is now copying Firefox for a change?
    • by AmiMoJo ( 196126 )

      Seems like it, and Mozilla has done well out of that decision.

      Mozilla is a major player in the certificate game. If you want to set up a root CA you have to play by Mozilla's rules. And they can act relatively quickly when a CA screws up, putting them ahead when it comes to security.

      Google probably wants the same level of control.

  • Sure (Score:5, Insightful)

    by nagora ( 177841 ) on Monday November 02, 2020 @11:57AM (#60676086)

    All we need to do is trust the company that issues the certificate.

    Oh.

    Maybe not.

  • Do you think we are going put trust into the same people who can't even police their own extension store which is chock full of malware?
  • Just curious, and the article doesn't say.

    • by Zocalo ( 252965 )
      I suspect it's just Apple being Apple. Specifically Apple enforcing their "Walled Garden" approach and, where they can't do that, making it one of the developer Ts&Cs that you are not allowed to reinvent/circumvent stipulate functionality provided by iOS - e.g. they only reluctantly allow some types of applications where they provide their own implementation (if at all), let alone something that is usually implemented as part of the OS like this.

      YMMV as to whether this is a good thing in general and
    • I would guess that Apple doesn't allow different root stores in the same way they only allow the WebKit rendering engine.
    • Because Chrome (and every other third party browser on iOS) is just a wrapper around Safari, so it can only do what Safari does.

  • So, we should let Google have even more say about what ideas and speech are good and bad? Like this won't end up badly.
  • an authoritative list of everyone we don't want to trust.
  • You'd think this would be met with a groan by corporate PC managers who manage CAs and root trust via group policy but use Chrome over IE/Edge on the desktop. I know Chrome has some policy templates, but this seems like just more spaghetti in the spaghetti mess that is corporate GPO.

    • It is being met with groans and I'm probably now going to have to move a bunch of customers' environments from Chrome to Edge.
      • Have you ever looked at the ADMX templates for Chrome? I haven't, but I know they exist. I would be really surprised if certificate installation wasn't part of them once they rolled this out. There's too many self-managed CAs and the need for specific self-signed certificate trusts for Chrome to just go to an unmanageable internal certificate trust model.

        • Oh I use them. They're actually pretty neat, for the most part. Managing complex certificate chains through ADMX though is something I don't relish doing as ADMX is really not suited to the task.

          I'm really hoping that they implement this whole thing by using an internal store in combination with the system one.

          • It would kind of surprise me if there wasn't an option to trust the local cert store, I'd imagine there's a lot of use cases where they're needed beyond just the browser, and parallel installations would be a nightmare to keep track of.

  • by The1stImmortal ( 1990110 ) on Monday November 02, 2020 @05:09PM (#60677566)
    The purpose of the system certificate store is so all apps treat certificates the same way - trust the same roots (you only have to install a root once), can share access to private certs, you don't have to worry about bugs in different certificate stores etc. I have always been irritated that Firefox runs its own certificate store, and with chrome now ignoring the platform store too... time to drop chrome, I suppose.
    • That's exactly what DANE solves.

      • It's partly what DANE solves. There's also personal identification certs, and trusted alternate roots for some purposes that it can't handle.
        • All about control over your software. I love Firefox because it's easy to distrust many entities, while also allowing those you prefer, specifically for the personal use like you mentioned.

          Tweaking the OS is often more difficult, and you get stuck with crappy root CAs like various countries and legacy companies that cannot be trusted.

          ICANN has it's own issues, but the root cert ceremony seems more legit than hundreds of self-signed certs implicitly trusted.

          If you own a domain, you can self-sign for no extra

  • OS should provide the store... Imagine having to load a very into every app..,

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...