Monday, March 11, 2019

Google's SSL certificate stance

This is just a quick post to point out some inconsistent logic from Google as it becomes ever more powerful over the lives of people and businesses across the world.  And yes, we understand the irony as we post this using Google's blogging site.

Google is keen on ensuring all web sites use SSL/TLS (sites starting with the "https://" prefix) encryption, even when the content of a web site is not sensitive.  Google's search product gives "rank" preference to web sites using HTTPS, even though HTTPS has nothing to say about the trustworthiness of those site owners or their content.  While HTTPS does increase network security a tiny bit, Google also operates its own Public Key Infrastructure (PKI) Certificate Authority (CA) which it uses to sign all of its SSL certificates.

Why is that a problem?  It's not.

But it is inconsistent and hypocritical in Google's imposition of ever more control over all web sites and ever more tracking of the actions of billions of people.  Of course, Google's tracking software works just fine over HTTPS, ensuring no network monitoring can access or alter any of Google's omnipresent tracking communications.

The problem is its Chrome browser disparages web sites using self-signed certificates.  Yet the reality is that all Google properties (google.com, blogger.com, youtube.com...) are effectively using self-signed certificates.

For many entities, of course, SSL certificates are expensive, need constant renewals, and are "approved" by self-proclaimed "Certificate Authorities" that really know nothing about you or the web sites to suggest any actual trust is involved.  CAs don't offer any assurances about any of the web sites they approve, after being paid their fee of course.  This is the reason why PKI in general has failed to be adopted much outside of its use for HTTPS-enabled web sites.

Secure communications is great and necessary, but there's no actual trust granted to a web site by purchasing a CA-approved certificate.  There is really little evidence theses CAs provide useful services, or that any people actually have any trust whatsoever in those CAs pre-approved in web browsers.  That pre-approved "trust" is actually just between the browser vendor and those CAs who have paid the browser vendors to be so pre-approved, not between any of the actual human beings who use the browser and any of those so-called CAs or the web sites they subsequently say you can trust.  Yet Google still maintains that self-signed certificates are untrustworthy and will instill fear in users that the security is no good.

Of course, the security of the SSL connection (actually, more likely TLS 1.2 or better if you want reasonably good security) is identically strong regardless of how much money is given to CAs.

This is the sort of anti-trust activity of overly powerful and expansive corporations that needs to be tamed. 

Google started off with search and "Don't be evil," then over the years it created its own browser and its own mobile platform, then created its own SSL CA where it pre-trusts itself for you, then modified its search results to give preference to CA-approved web sites without regard to the actual trust of those web sites or CAs, all while suggesting a self-signed certificate is not secure and you should alarmed at finding one. 

All except for Google signing its own web site certificates.