Free Trial
Contact Us
Podcast

Root Causes 237: Why Mozilla Is So Important to CAs

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
August 10, 2022

Mozilla is a highly important to the world of public certificates, with influence beyond what the Firefox browser market share would suggest. In this episode we examine the historical reasons for this influence and the mechanisms that maintain that influence today.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanAs we talk about the world of public certificates, one of the things that you and I wind up touching on a lot one way or another is various programs or initiatives or sites or places that are operated by Mozilla. And Mozilla has a big footprint and casts a big shadow in the world of public certificates. Something that is arguably outsized compared to their overall browser market share. So, we thought it would be interesting to discuss why that is the case.
Jason SorokoJason SorokoTim, I’m certain that it has to do with some historical reasons, but I’d love to hear your take on that.
Tim CallanTim CallanI mean, at a high level that’s exactly what is it. If we think back, once upon a time, how did the browser wars go. Once upon a time, there was Netscape, and everybody said, oh, Netscape, they’re going to own the world. And then Internet Explorer basically completely pushed out Netscape and everybody said, oh, Internet Explorer, they’re going to own the world. And then, in that timeframe, there was perceived that there needed to be an alternative to Internet Explorer, and Mozilla was created and, in a lot of ways it’s among the largest and most influential and most accomplished open-source projects ever. If it’s not the most accomplished, it’s definitely right up on the list. And so, that’s real important because it was an open-source project, Mozilla did their work in a different way than other browsers did. And I think that is the core of a lot of why Mozilla is still so influential today.
Jason SorokoJason SorokoTim, I’ll even add a little bit to that in terms of the underlying rendering technologies of browsers because most people who use their browser don’t really care how it works, just get me to www.whatever.com and let’s go. But in reality, the way that your browser renders, I don’t think a lot of people realize, but Mozilla’s rendering technologies quite often were everywhere, regardless of what browser you were using anyway. That was kind of interesting.
Tim CallanTim CallanThe Chromium browser, I think, is really taking over that now.
Jason SorokoJason SorokoAbsolutely. In fact, you talked about Internet Explorer, which in fact was very recently completely deprecated. It no longer technically exists. So, we’re talking about in terms of Microsoft, Microsoft Edge is their browser brand at the moment.
Tim CallanTim CallanBased on Chromium.
Jason SorokoJason SorokoAnd that is Chromium. Absolutely. And in fact, for a while, it wasn’t. They still had their own proprietary technologies, and some of which were based on WebKit, which echoes of the Netscape days and Mozilla, but now, it’s Chromium. So yes, absolutely. So not all the browsers, but many of them, have gone to go to the Chromium rendering, mostly because it’s the rendering speed game was one that Microsoft just didn’t want to fight anymore, and that’s what made them make that big choice. But yes, so the browser branding, browser market share, and even underlying browser rendering technologies, certainly from the time of Netscape onwards had been blended and mixed and matched. And there is a whole long history there, and Mozilla, as a very successful open-source project, was a big part of all of it.
Tim CallanTim CallanSo if we go back in time. Once upon a time, all of the browsers had their own distinct root store. So root stores is probably the first point to discuss. If you go back in time, all of the browsers had their own distinct root stores, and you had an Internet Explorer root store, and it was different from a Mozilla root store, and it was different from once upon a time a Netscape root store. And if you go way back in the past and then Chrome came along, and if you go way back in the past, you even had, there was no auto update so I would chip a version of a product that would have the roots that it would have, and those would just be the roots. That’s how things went in 1996. And so, when Mozilla first came along, they were doing things differently, and a lot of what they were doing differently is because it was an open-source project, everything was in public display. Everything that happened in Mozilla was in public view, and so Mozilla wound up being the only place where you could sort of have a dialog about something like, is a CA trustworthy. And as a consequence, that became the de facto for where these things go on, and that’s still the case today. So we talk about, we sometimes talk about Bugzilla. Bugzilla is Mozilla’s Bugbase, and the Mozilla Bugbase that is there for Mozilla’s products is the place where all public CAs report and discuss any errors or problems they have as a public CA. And it’s funny because it’s the industry’s place to discuss these things, but ultimately, it’s owned and operated by Mozilla. So for example, Mozilla sets the rules for Bugbase and how it works and what you do and what you don’t. And everybody lives with that. If you’re Apple or Google or Microsoft, you’re getting your information from Bugzilla.

Another one is their root store. The Mozilla root store is still paid a lot of attention to by other parties who aren’t kind of the big five or so root stores who, if you're going to be using somebody’s root store ‘cause you don’t want to maintain your own root store, you’re probably using Mozilla’s. Again, why? Because it’s open source and so that’s where it goes back I think for a lot of the history, the open source. Not just in terms of the code itself, but the mechanisms that surround the creation and policing and updating of the code are available to the community at large, and because they are available to the community at large and there wasn’t really anything else that was, they sort of became the de facto information for the community that was interested in public CAs.
Jason SorokoJason SorokoMakes a lot of sense, Tim. Between the history and the fact that they were a very fundamental part of a lot of competitor vendor technology bases, especially that root store and also that rendering technology I was talking about, it just became the place to do the primary discussions about issues in the CA world and a lot of things as well. So, it does definitely make sense. And I think if you were brand new to the world, if you just came out of an egg right now and you took a look at the market share of browsers, you might wonder why, but I think Tim spelled it out very well there.
Tim CallanTim CallanNow there’s one, I mean, there’s one other point that’s worth considering. I don’t know, I mean exactly what browser market share is, kind of depends on the source you look at, but let’s just say that Mozilla is somewhere in the single digit percentage market share. A good thing to remember is single digit percentage market share is still phenomenally important. Like, let’s make up a number. Let’s say you had 5% market share. Well if you had 5% market share, another way of thinking about it is, 1 in 20 random visitors are not going to or are going to be on that particular platform. That actually is a huge amount of power. Let’s imagine what would happen if Mozilla decided to distrust a root. If Mozilla decided to distrust a root then that root becomes for all intents and purposes economically unusable because if you’re standing at the website, would you be okay with 1 user in 20 not being able to interact with your website? Would that be alright?
Jason SorokoJason SorokoNot even close.
Tim CallanTim CallanOf course not. Not when there are surrogates available. So once upon a time, if we went way back in time to the late 90s when we still had those no auto update kind of situation I talked about before, CAs used to advertise their market share. They used to say 99.7% market share. Because everybody knew you weren’t going to get 100%. But that’s past now. Nowadays, I put it to you that 1% market share would be enough to make a CA commercially unviable because what online retail store owner in their right mind is going to walk away from 1% of sales for no reason? Nobody. Even to some degree there was a lot of focus on market share and say, oh well, Chrome has more than half the market share. They are really the gorilla. Sure they are, but anybody who gets over a certain minimum threshold still wields a huge amount of power over CAs, and Mozilla still today remains over that threshold.
Jason SorokoJason SorokoFor sure. But, of course, when we’re talking very specifically about things that have to do within the trust store, discussions about it, where do you go to discuss these things. Mozilla definitely has a greater punch than its related market share at the moment. Even though a low market share is ultimately incredibly important, they still I think punch way harder than you might think they would, based on their market share, and those are the historic reasons.
Tim CallanTim CallanThey have Bugzilla, they have a Bulletin Board, they have various other communication mechanisms and things, and those have just kind of become the townhalls for the community of public CAs, and that sort of thing has a lot of durability. If you’ve got a whole lot of people who are going to Bugzilla and they’re going there on a regular basis, and have set up their alerts, moving them to something else is hard. That’s something that Mozilla continues to maintain, and I think it continues to foster and preserve their influence inside of this community, which is quite high.
Jason SorokoJason SorokoI think, also, there’s been a lot of people who’ve come out of Mozilla. They’ve kind of acted like a bullpen for a lot of the industry, I think that that has influenced a lot of other programs, even if it’s not under the Mozilla branding under their open-source branding. I think they’ve taken a lot of their philosophies and have spread it right across the industry. So, it’s another way that they’ve influenced things as well, and that comes from that open-source base, where people come with it, with a specific viewpoint, and that has, like I say, that has spread far and wide. It’s interesting to watch how people have progressed.
Tim CallanTim CallanAnd this extreme Silicon Valley pedigree. I mean, not only in terms of what you’re saying, which is people go to Mozilla and then go to other places and bring their philosophy, but just in general, if you want to talk about being plugged in, if you want to talk about being insiders Mozilla is as insider as it gets. And so, that certainly has power as well.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud