undefined | Better HN

0 pointsRobotToaster1mo ago0 comments

Isn't LE used for half the web at this point?

Calling Google's bluff and seeing if they would willingly cut their users off from half the web seems like an option here.

0 comments

bawolff1mo ago

That's not how this would work.

Based on previous history where people actually did call google's bluff to their regret, what happens is that google trusts all current certificates and just stops trusting new certs as they are issued.

Google has dragged PKI security into the 21st century kicking and screaming. Their reforms are the reason why PKI security is not a joke anymore. They are definitely not afraid to call CA companies bluff. They will win.

xg151mo ago

How is "client certificates forbidden" in any way an improvement?

bawolff1mo ago

As a general rule in cryptography, a lot of vulnerabilities relate confusing the system by using a correct thing in the wrong context. Making it a rule that you have to use separate chains for separate purposes is a good rule from a general design standpoint.

3 more replies

Avamander1mo ago

Not forbidden, just not going to be a part of WebPKI.

It's one of those things that has just piggybacked on top of WebPKI and things just piggybacking is a bad idea. There have been multiple cases in the past where this has caused a lot of pain for making meaningful improvements (some of those have been mentioned elsewhere in this thread).

2 more replies

ralferoo1mo ago

Google didn't drag anyone anywhere without LE though.

Sure, they supported the nascent HTTPS very early on, but most of the web thought that certificates were "too expensive for the likes of us", and so only really banks and the like actually adopted HTTPS. Most of the internet was still HTTP only for years after HTTPS was available.

Only when LE came along and started offering free certificates and facilitated a massive uptake in HTTPS websites were Google ever in a position to default to marking HTTP as "insecure and dangerous".

I've got no figures, but I suspect that if LE were to kick their heels in, that Google wouldn't dare risk half the internet not working using their browser. I'm sure that would be some people who didn't want to be collateral damage if there was a standoff and would switch to a CA that complied with Google's will, but I suspect most people would be happy to see Google challenged on this. And end users would hopefully discover that every other browser still worked, just Chrome had broken, and Chrome would quite rapidly fall out of favour.

bawolff1mo ago

While google did do a lot of work on making https by default be a thing, that is only a small part of what im refering to. Google did huge amount of work to make https high quality, so that sites using it were actually secure. They increased standards for CAs significantly, took a much tougher line on CAs who violated the rules, pushed certificate transparency hard (which is probably one of the most important developments for security of TLS ecosystem). Chrome was the first browser to support HSTS which is very important for https to work in practise. Google maintains the hsts preload list.

Google didn't just make TLS popular, they made it secure.

grayhatter1mo ago

Dragging PKI into the 21st Century! Just like they dragged manifest v3 into the 21st century!

It's for your own good dontchaknow!

account421mo ago

It's how it should work but the supposed CA browser "forum" has become a browser dictatorship. While there have been issues where CAs were dragging their feet, just letting Google dictate whatever they want is not the solution.

RobotToasterOP1mo ago

>what happens is that google trusts all current certificates and just stops trusting new certs as they are issued.

Given that LE renews certs every few weeks that wouldn't take long

j / k navigate · click thread line to collapse