Free Trial
Contact Us
Podcast

Root Causes 246: Google Chrome Root Program Announced

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
October 4, 2022

Google Chrome recently announced the formation of its trusted root program. It may be surprising to learn that the world's most popular browser has existed for more than a decade without its own root program. In this episode we explain why that is the case, why Chrome is launching a root program now, and the implications of this announcement.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe want to talk today about a recent announcement. This is probably available in multiple places. I’m looking at the Chromium blog – Chromium, of course, from Google on Monday, September 19, 2022 and the blog post, the title is Announcing the Launch of the Chrome Root Program.
Jason SorokoJason SorokoTim, they didn’t have a root program? I’ll bring that up in a moment.
Tim CallanTim CallanNo, great. Let’s go there. This is announcing the Chrome root program.

So, just a little bit of background. The root program is the official set of rules and guidelines and the program and the administration and all of that that governs which roots are included in the trusted root store and how that all works. How CAs get their roots in there, what will cause roots to stay and be removed and how they are maintained and requirements for the roots and requirements for the CAs and all of that is governed by the root program. So, yes, go ahead. Now, ask your question again, Jay.
Jason SorokoJason SorokoSo, Tim, root programs in browsers have been around since browsers. In fact, we’ve podcasted about the history of that within NetScape in the early days. We even podcasted about the fact that early rules around this started with EV certificates rather than other certificates and all the vagaries of the history of these things and this is just one more vagary of history of how did the most popular browser there is just announce their root program.
Tim CallanTim CallanNot have it’s own root program. It is fascinating isn’t it. And one thing, let me just clarify. You are right. We have talked about this a lot and I certainly may have out of kind of general sloppiness have referenced the Google root program in the past in which case I should have been saying, the Google root store. Because Google has had a root store for as long as they’ve had Chrome, which roots Chrome is going to trust. And that’s important because that’s where the real power is. You put roots in and out of the root store and you are determining basically which certificates are gonna get trusted status and which are not. And the best example of that, of course, was the deprecation of trust for Semantic. So, in 2017, Google deprecated its trust for the Semantic roots and even though it didn’t have a root program, it did have a root store and when those roots were removed from those stores those certificates were no longer usable. So, in that sense, one could contend – and this is part of where we get it – that there may not have been a root program but there was certainly some kind of root program going on there. But, no. Google didn’t have an official root program. Now, why is that?

Well, to answer that question, I think we really have to go all the way back to the 2000s. So, you go back in time to that amount of time and it was still an era where the exact winner of the search war was in doubt, was in play. Where it could have gone either way. So, it could have been Google but it could have been someone else and there was a recognition I think at the time by a number of people that controlling the search box at the top of your browser or controlling that box where you typed in the top of your browser was a huge piece of controlling what engine got searched on. That most people were gonna use the default that was built into the browser. Even though you can go change it, they usually don’t. Most people were gonna use the search capability right there in the web address bar at the top and in so doing, it was going to drive traffic to certain browsers and this was a period of time when Internet Explorer was very, very, very dominant and so Internet Explorer was very dominant. It’s commonly believed that the folks at Google said this is a bad situation and Google needed a rapid response to this. So, they sponsored Firefox in a big way. They sponsored Mozilla and it’s commonly believed that for a long time Google was giving more than half of the money, the donations that Mozilla was getting and Mozilla was using that to built Firefox and other things. Thunderbird and stuff like that and one of the consequences of that was that if you got into your Firefox browser and you typed in, what did you see? You got results in a Google search engine.

So, the marriage between Mozilla and Google, very long. Very deep. Very interwoven. So interwoven that for years one of the Mozilla peers was also simultaneously the Google employee who ran the Google root program. Or the Google root store I should say.
Jason SorokoJason SorokoGoogle root store. Exactly.
Tim CallanTim CallanI’m doing it again. Ran the Google root store. That is how completely enmeshed the two entities were. With Google providing the money and Firefox providing this open source development that it used to ultimately displace Internet Explorer.
Jason SorokoJason SorokoThat’s a perfect explanation, Tim. And I’ll tell you what, isn’t it funny, we keep talking about past podcasts and to me this is almost like a Part 2 of podcasts we did about the influence of Mozilla through time and - -
Tim CallanTim CallanIt is the perfect case study of that influence in action. And exactly right. And that is some of the reason that Mozilla has punched above its weight for so long in so many areas. And so, in the beginning, Google, it didn’t need a root program. It just used Mozilla’s root program. And is really what it did. Until the Semantic deprecation, the Mozilla root program, Google just followed it. That was the first time we saw that break.

And then, of course, Chrome came out and Chromium, the Chromium effort came out and in general, we saw Google seizing control of its own fate. And that’s a very Google-ish thing to do. Google likes to be in control of its own destiny and you can imagine in the long run that depending on somebody else’s browser just wasn’t gonna be acceptable to the company. And so, they wound up being dependent on their own browser and we can see that this is a trend. So, this is now a trend or an arc that has spanned years and years and years.

So, first they create Chrome and they create the Chromium project; they keep moving down this and somewhere along the line they become a public CA and then now somewhere along the line, bang, now we have our own root program. We are gonna have our own rules and our own guidelines and we are no longer gonna just kind of accept Mozilla as our defacto set of governance rules. Instead, we will have our own. And so, that’s this whole trend that you’ve seen and that’s why you are seeing this happen at such a late date in history which otherwise would just be a real head scratcher.
Jason SorokoJason SorokoThanks, Tim. Now I’d like to think forward a little bit. You know – impacts. I think where there probably will not be an impact from a practical standpoint is people might think, well, does this lower the profile of other root programs and I would say no. Because we have talked about this before. Anybody with even 2 to 5% of a market share has a sufficient amount of clout to be able to throw the weight around with a root program. Because no business – you’ve said it best in the past, Tim – no business is willing to accept, would you accept losing 5% of your business? Nobody is gonna say yes to that.
Tim CallanTim CallanNobody is gonna say, oh 98%, that’s plenty. That’s just not gonna happen. Agreed.
Jason SorokoJason SorokoBut on the other hand we do have things like Bugzilla and places where legacy Mozilla still has such an important place. I bet you that doesn’t change immediately or whatever but who knows. I think Google now with a root program formally might want to have their own ways of communicating to the industry and I don’t know, Tim. I mean you’re closer to it than I am. Maybe you have some insight for how influence may change.
Tim CallanTim CallanI think I see this in a lot of ways as Google wanting to fill in a little bit of white space on its own maturity as a program. I mean it is a funny thing. It is a bit of a head scratcher and in many ways, it was being a defacto program anyway. Google was very, very active in places like the CA/Browser Forum and MSDP and things like that. Very vocal about what it wants and very clear that CAs need to follow its world view and if you look at some of the major initiatives that have gone on, the SSL everywhere trend that we saw over recent years, that was all driven first by Google. Google started to say I’m gonna put roadblocks and warnings up for pages that don’t have SSL regardless of whether or not they have a log in or confidential information or etc. and they kind of drove this near universal adoption of SSL through that kind of activity.

We saw the deprecation of Semantic which is such a great example of that. So, Google definitely has thrown its weight around and even when we saw other people do it - - So, Mozilla has introduced some other deprecations in recent years. Apple has been very important in shortening certificate lifespans. Certainly from two years to one. But who is the driver for shortening from three years to two? It was Google. So, in that sense, we’ve seen Google already in many ways acting like a root program and a very important and powerful one. And so, it’s not surprising. In a sense, it’s almost a well, gee, wasn’t it there already kind of reaction from I think a lot of people. But, having their own program helps Google out in various ways. Like they can publish their own standards and requirements as opposed to right now they depend on the standards and requirements written by other people. Like literally they go back and reference what did Mozilla say? And they don’t want to do that. They want to craft their own copy. They want to change it. They want to have agility and the ability to make subtle and nuance changes and they can’t do that unless they own a requirement document that they publish, that they update, that is ultimately theirs.
Jason SorokoJason SorokoYep. Make sense. Tim, thank you so much for that. I think for a lot of us who saw that headline it was a head scratch and I think you’ve covered exactly the full context of that really well. I appreciate it.
So, that’s it. In some ways, it’s not that big of an announcement but it also kind of is. It’s both. So, we definitely want to make sure everybody knew about it. Thank you, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud