Google launched its own root certificate authority to build the "foundation of a more secure web," but experts...
say this move presents unanswered questions about Google's plans and possible conflicts of interest.
Google established Google Trust Services, LLC as its root certificate authority in order "to enable reliable and secure identity authentication, and to facilitate the preservation of confidentiality and integrity of data in electronic transactions."
According to Ryan Hurst, security and privacy engineering at Google, the main reason for this move was to make deploying root certificates faster.
"For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later," Hurst wrote in a blog post. "We intend to continue the operation of our existing GIAG2 subordinate Certificate Authority. This change will enable us to begin the process of migrating to our new, independent infrastructure."
Google has long been a proponent of accountability when it comes to root certificate authorities (CA) with its Certificate Transparency service to log all certificates. However, Google has left questions when it comes to running its own root CA.
For example, the blog post makes it sound as though Google's Root CA will primarily be issuing certificates for other Google and Alphabet products, but Hurst explained a bigger aim in a post to Bugzilla@Mozilla to secure inclusion of Google-issued certificates in the Firefox browser.
"Google Trust Services is run by Google. Google is a commercial CA that will provide certificates to customers from around the world. We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing," Hurst wrote. "Customers of the Google [public key infrastructure] are the general public. We will not require that customers have a domain registration with Google, use domain suffixes where Google is the registrant, or have other services from Google."
Paul Vixie, CEO of Farsight Security Inc. in San Mateo, Calif., and architect of domain name system (DNS) protocol extensions and applications, said this could be another point of control for Google.
"Google builds their own networking equipment and owns their own dark fiber. It makes business sense to control your own supply chain when you can afford it, especially if an external dependency puts you at risk," Vixie told SearchSecurity. "But I suspect they are going to mint many orders of magnitude of certs in the future than they've done so far, and that their intermediate CA status put them at volume-based pricing or discount risk."
Kevin Bocek, vice president of of security strategy and threat intelligence at Venafi, agreed with this sentiment.
"By becoming a root certificate authority, Google is eliminating dependencies on others and is in total control," Bocek told SearchSecurity, warning that, "Maintaining agility to move between CAs and remain in control is a critical requirement. Automating the secure lifecycle of keys and certificates to retain this control has to be at the top of the priority list for CISOs and their teams."
Both Bocek and Vixie said Google would need to put in place policies to ensure any certificates issued by Google for Google products being included in the Chrome browser follow CA/Browser Forum's Baseline Requirements.
Bocek said Google certificates would need to be audited by a third party.
"As we've seen with Symantec, GlobalSign, GoDaddy and many more, CAs can make errors, are victims of fraud, and can be hacked. Google will be no different, and will need to make sure they are transparent and audited by a third party," Bocek said. "This serves as a reminder to businesses that certificates are probably the most important element of cybersecurity, but often overlooked."
Vixie said Google could outsource audits to another firm, but could potentially get by simply with a certain level of transparency.
"They might decide that for pki.goog, they will make all of their auditing information public, and then hire a big-four firm to certify that it's what they really do," Vixie said. "They can afford to do this and be best-of-breed as a CA and put competitive pressure on other CA's. Since their success depends on the rest of the internet being as secure as possible, this qualifies as the kind of investment that improves their general business conditions."
Google did not respond to requests for comment at the time of this publication.
Learn more about Google's efforts with HTTPS and Certificate Transparency.