Podcast
Root Causes 444: What Happens to the WebPKI if Google Sells Chrome?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
December 5, 2024
We discuss how a potential break of Chrome from Google would affect the WebPKI. We look at product changes, resourcing, post-quantum cryptography (PQC), innovation, moonshot initiatives, and other public CAs.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanIt's so busy. We're putting up podcasts for things that happened two months earlier, because we just can't get through the news cycles. This is a huge one that we're probably going to jump to the front of the queue, because everybody in the world has been talking about it. And it is, of course, the DOJ’s request to the courts that Google be forced to sell off the Chrome business, essentially to break up Google and Chrome from each other, and vast amounts of coverage has occurred around this. We're not going to tell you things that you won't get from a million other media sources, except that I think we thought what might be interesting today is to suppose that this were to happen. Let's get away from speculation about does it happen and when it happens. Let's start with a make believe hypothetical that this does happen, and Google is forced to sell the Chrome business to someone else. The Chrome browser.
Jason SorokoIt gives me the shivers. It gives me the shivers to even think about that.Tim CallanIt would be huge. It would be incredibly important. It kind of reminds me of the old discussions in the 90s of breaking up Microsoft. Very similar. If that were to happen and Chrome was to be decoupled from the Google search business and the Google Online Services business and the main mothership, what would be the consequences to the WebPKI? That's what I want to focus on today. What would that mean for the WebPKI? I've got some thoughts, but I'm happy to let you go first if you want what. What are some of the things that we think might happen?Well, the first thing that I think is important, is to ask, what is the level of resourcing? This is my interpretation, but it is a very common interpretation, and I'm very confident that I'm right, which is that the paid search business allows Google to fund both Android and Chrome in what are, for all intents and purposes, infinite levels. That they can put whatever they need into these two programs to make sure that they succeed and that they gain vast market share and this involves a bunch of things, but it certainly involves product stuff. Once Chrome is owned by someone else, depending on who that someone is, there's a distinct possibility that that is no longer the case. So the first thing that I would wonder is, is there a significant change in resourcing, which may exhibit itself in release cycles, ambition of releases, we've seen vast amounts of energy put into Chrome socializing the changes it was to the green address bar and the lock icon, and they were sending people to conferences to discuss this and all that stuff. Do all those efforts go away? Or get much smaller?
Jason SorokoTim, I’ll even add one to that. I think you nailed it. And nobody less than Kent Walker, President Global Affairs and Chief Legal Officer at Google and Alphabet actually wrote a blog November 21 of 2024 and the title of the blog is DOJ Staggering Proposal Would Hurt Consumers and America's Global Technological Leadership. He makes at least six points. One of those points, Tim, even basically says it would hurt innovative services like Mozilla's Firefox, whose businesses depend on charging Google for search placement. In other words, they're even saying that it would put at risk Mozilla itself.Tim CallanI mean one possibility depending on who gets Chrome - if this were to happen, again - is that that would be the exact model. That they would they would operate the browser basically in order to charge whoever it might be - Google, Bing, somebody else - for search placement. That would be really the point. That's what Mozilla has. That could be the new business model that someone's under with Chrome. Then so under those circumstances, you start to say, well, okay, what are, what are the implications of that? So I think that's a big one is just level of resourcing and coming out of that, do you see that the WebPKI initiatives at Chrome are as resourced, as aggressive, as thought through as they are now? We frequently reference the moving forward together page to tell us what we think Chrome is thinking about and up to. Does something like that still happen? Do we have something like that? You look at Chrome's not just heavy involvement in reducing certificate lifespan, but other things like MPIC and focus on CT logs, all of these things. Look at post-quantum cryptography. Chrome was very early in allowing post-quantum cryptography, and because of that, between the combination of Chrome and other supporters like Cloudflare, there has been very real, pragmatic understanding of what actually happens with PQC algorithms in the real world, and would a non-Google Chrome be set and resourced to do that? I'm not saying it wouldn't, but I think it's a question that would need to be asked.Jason SorokoIt certainly is. Let me add that to that one - that point you're making, Tim. You're talking about the absence of Google and the absence of basically their entire ecosystem to make this a very thorough WebPKI. That's just the place that they've played. I mean, you're talking about a scenario where you're dreaming up where this has actually happened. Well, if it has actually happened, then what it means is that somebody would have had to have cut a check and entered the WebPKI, and potentially also be disruptive. Like, who out there has the $20 billion ink to sign on a check? And I'm thinking of names like Jeff Bezos himself with Amazon.Tim CallanAmazon. Sure. Microsoft.Jason SorokoAnd so, if it’s Microsoft, it's like, okay, well, then you're actually talking about a concentration. Why would the DOJ allow that? But it just starts to get crazy when you start thinking about the possibilities.Tim CallanI mean, it doesn't seem to be many companies. You could say it could be Amazon, could be Meta, but it doesn't feel like there's many companies that would be able to take something on at that scale, unless it was forced to be a true fire sale. So, yes, level of resourcing, I think, is one thing. I think PQC does deserve its own callout, for exactly that. If this kind of thing came along right now and it caused some changes, what would that mean for the migration toward an adoption of PQC? It's things like what I just talked about. And how does that enter into it? There's a set of UX decisions that we've talked about a lot - the elimination of the green address bar, the changes in the lock, changes in how certificate information is presented. If there's new ownership, does all that stuff go back into play? Is it possible that different decisions are made? Is it possible that there's a different philosophy, and what are the consequences of that? One of the things about the Chrome team - and I really, again, I believe this is true - is that they view their job, to some degree, is to make sure that as many people as possible are able to use the internet. And perhaps that's something of a high-minded ideal and I think there's an aspect of high-mindedness to it. I also think there's an aspect of brute pragmatism to it, which is that the way that Google makes its money, and all these people can fly their private jets, is because lots and lots of people are using Internet services like the ones Google provides, and in the event - or including the ones Google provides, I maybe should say - and in the event that it switched to different owners who had a much narrower view of the world, like we make our money by people searching, then some of those decisions might be made differently, and they might have different consequences.
Jason SorokoNo. I definitely think so, Tim. Because this goes even like you're talking very specifically about the WebPKI. I think that when you're talking about things like what the DOJ is talking about, saying, if you own a Pixel phone, Google Pixel phone, you might have to go through a series of choice screens before you can even get to a search. It's just like, how that would affect things, the ripple effect would be massive. Some of this is going to affect exactly what you're just saying. The entire ecosystem is just going to it's going to change, and probably not for the better.Tim CallanThen you say, okay, what happens in the case of this new provider? Whoever owns Chrome now is they're going to have their own goals and their own objectives and if they just made a giant check, just wrote a giant check for the Chrome business and took on this huge thing, they did it for very clear reasons, and without knowing who that is, it's hard to speculate what those reasons are, but you could imagine there being consequences on the WebPKI there, too. For instance, let's say it's somebody who, themselves, is a public CA. Amazon is a public CA. Does that play in in some way? Is there some difference in how the browser would deal with an Amazon cert from somebody else's cert? So that sort of thing needs to be considered and asked as well.Jason SorokoNo, you're absolutely right, Tim. It's quite something. I'm not sure we're going to get into it in this podcast. We're talking about the what would happen, especially with the WebPKI, in the dreamed up scenario where the DOJ gets their way, and it's an interesting aspect of looking at it. I would also as time goes on and as we get closer, probably to January, when we actually have a change in presidential administration, we're going to actually have to watch how this plays out to see how close we are.Tim CallanThat’s valid, Jay. This might, with the new administration, this might continue to have legs, or this might not. I don't know that that's clear, so that will be something to keep an eye on. But if it does, I think the WebPKI is probably less affected than a lot of other aspects of the business because we still need it. Whoever takes over this browser is going to know we still need it, but I don't know that it's unaffected.Jason SorokoThings will change. I think that's what you and I are trying to say here, Tim, is some things will change. And I guess it might be worth saying - my own impression is, I can't see how we it would be really for the better right now because of just how well thought out - -Tim CallanI'll offer one way it might be for the better. Think about this, which is, there's going to be a new major player in the market. Right now, you've got this incredible concentration of power in Google. This is a lot of the motivation behind this. That the same people who own search and the same people who are have all of these other incredibly important initiatives that people are using all the time, like Maps and Google Earth, and Google Sheets and just a whole bunch of other stuff, if you take a different provider, and you put the Chrome business in their hands, there's probably much less concentration. Unless it happens to be a Facebook or an Amazon or a Microsoft. Then there's probably a lot less concentration. And in the scenario where there's a lot less concentration, there may be more room for innovation.So one of the things that happens now is, when Google does something, it is just a fait accompli. It has so much power behind it that it's really difficult to fight that trend. If you start to get a browser market where the power is a little less concentrated, there might be more innovation in that market. There might be more room for new players entirely. There might be room for existing players to do things differently, and we may actually see more variety and change in the initiatives that touch the WebPKI. Now that goes both ways. I think that could be good. People could make things that are better that help us advance and improve the WebPKI. It could be bad. There might be things that are being held in place by the Google company that are fundamentally healthy for the WebPKI and a certain amount of looseness could be unhealthy. If you and I, I think we would probably both agree, if you look at where the WebPKI was a dozen years ago and compared to where it was now, that it's a better, more secure world today in that regard than it was then. That owes itself very largely to Google. Primarily to Google. Not exclusively, but primarily. So when you go back and you look at that, you say, okay, if it weren't for that concentration of power, and if it weren't for that philosophy of we have to make the internet safe for the most possible people, because that's how come we all get to fly our private jets, then at the end of the day, that would the 6 billion people, or whatever it is who use the internet today, would be worse off. And so if you, if you start there, then you might say, okay, in a broken up world, on the one hand, maybe there's more innovation. Maybe we wind up in a better place. This free market philosophy. On the other hand, though, these kind of big initiatives that require power and a long memory and being able to set your minds on a task and do that for the next 10 years, those initiatives probably don't happen.
Jason SorokoTim, I hear you and I completely agree on all points. What was going through in my mind, was the big however on some of this, which is, anybody who is able to pull out $20 billion in ink and sign the check is - and I think this is what's interesting - they're going to have very, very similar, if not even more like Google, I think Google-like motivations to do a lot of the things Google's already is doing if they are the owner of Chrome as a business asset.Tim CallanRight. And that's possible, too. Absolutely.Jason SorokoAnd so the reason I think there would be differences in the WebPKI, is because different is different. However, let's make a real concrete example. You and I have podcasted at length about Google's attempts and ultimate failures to replace cookies in the browser. I actually think anybody who's going to cut the $20 billion check for Chrome would probably have nearly identical struggles, because their motivations will be identical to Chrome’s. Like Chrome today. Under Google. When I try to think about examples, real, concrete examples of whether you're cynical about it or happy about it, Google has a certain way of operating, but at least the answer, their motivations are usually very clear. So that's how the rest of us in the world who aren't Google, deal with Google is we understand their motivations, and we kind of move out of the way, or move into the way of what they're doing. I'm just not convinced that anybody who pays 20 billion for Chrome is going to act a lot differently.Tim CallanI think you're right. And the cookies one, I think, is another real good example. So is WebAuthn, the Google implementation of it. These are also areas that directly touch on this, in terms of this kind of big picture view approach to this, which is one of the things that Google has done very consistently, and, certainly in many ways to the benefit of the ordinary consumer and the WebPKI. Certainly in the world of security.Jason SorokoIt’s an interesting question, Tim. I’m glad we got to talk about it a little bit, but this is one where when, as things flesh out one way or the other we're going to have to talk about it, and so it'll return as a subject.Tim CallanI thought it was interesting to have this hypothetical conversation now. When things stop being hypothetical and start being a little more real, we'll want to return to it and see what it what it really looks like.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
