As a point of clarification, lest anyone think you are actually being serious...
The threat being addressed here is the proliferation of VPNs that also install a local trusted root[1], rogue roots being installed at border crossings[2], and entire countries mandating a MitM root to egress traffic[3].
I do believe they could have done a lot more to improve the developer experience, but this does address a legitimate security concern for millions of users.
What gives me pause is that above examples are state actors. With no deep knowledge of the field, I don't know how much android Chrome can ever do to mitigate a sovereign state policy, especially as phone systems all have some local specificities introduced either through the carrier's software, or some straight exception to follow the country's regulation/culture.
[Edit: User introduced VPNs are another issue, but it then falls down on stopping a user from meddling with their phone, which is also tricky in my opinion]
This kind of stuff was already happening at so many level. Before https everywhere I was seeing a phone carrier auto-proxying requests and injecting additional ads on the way back. I can’t imagine they just gave up on the revenue stream when pages switched to https.
These are legitimate concerns, but this is like beheading to treat a headache. Technically it works.
I'd suggest to add a notification dialog when a root cert is added, and a good, clear UI to manage the certs: when added, by what app, disable, remove, etc.
As a point of clarification, lest someone take you seriously, clear warnings are what is needed. And smart users. Instead of raising awareness, google et al have been trying to hide https, parts of url, so that they can maintain control.
As someone who runs their own cloud top to bottom with custom CAs, adding a trusted root CA is a pain. Removing the ability for me to run ym CA takes away control of my own device from me and puts it in the hand of the big companies.
You should hard reset your phone when crossing boundaries. You would do the same if somone borrwed your clothes.
Would you lend some one your clothes with your passport and wallet in it? Then why is a phone any different.
It sounds like you are the type of person that should just be rolling their own browser anyway.
Like I said, there are a lot of things they could have done better here. But the threat is real and its not some tinfoil conspiracy by "big tech." It is our job as technologists to first and foremost do what we can to protect the 99.999% of users who do not run their own CA.
Running your own CA is a pretty common thing for companies to do, to manage internal SSL certificates. And telling systems to trust it IS a pain. Even on Desktop you can't just drop a file in a folder, because chrome and firefox don't trust the system CAs, so you have to configure those separately, and possibly other applications as well.
I don't think it is some big conspiracy, but it isn't a good situation.
I think there are other, more effective, mitigations in place against the threats you are describing. First, there's no automated way to install CAs on Android. Users must do this step manually (the articles you linked are about Windows). Second, if you have installed a user-added CA, you get a prominent and permanent notification – non-dismissable, reappears after reboot – that your network traffic may be monitored. All this stops the "secretly-added CA" threat.
Finally, the current implementation is not effective at protecting against country-level MITM. Attempts at country-level MITM have been thwarted by browser updates to blacklist the respective CA certs, the same can be done on Android.
I agree those are legitimate threats that need to be addressed, but there are better ways to do so, which don't come with the convenient side effect of killing privacy research.
I don't think the purpose of CT is to protect against anything on your local computer. It's to protect against CAs getting hacked or coerced by governments into issuing malicious certs.
CT's design really doesn't make sense if the goal is to protect against local malware. Why would it need public legers of Merkle trees containing every issued certificate if it was just to protect against local malware?
Anyways, local malware isn't in Chrome's threat model:
The purpose of CT is so that shenanigans have to be done out in the public view where they can be more easily detected. Depending on the logs you are using, an attacker may not be able to submit a self-signed certificate (I haven't looked at which logs Chrome is using these days).
Regardless of the documentation, Chrome does roll out changes to protect against local threats. I think they just don't want to be on the hook to address every local threat. Happy to give examples in private if you want to email me.
Wow your first link is very alarming. I was curious about this passage from that link however:
>"The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device."
I understand how they could decrypt any communication between the VPN client and the VPN server but if I was already encrypting my data using a browser that wouldn't give them anything more than encrypted traffic. I do understand the overall threat of these companies installing a Root CA but is that particular passage a little disingenuous or am I missing something much more obvious?
> but if I was already encrypting my data using a browser
Encrypting against whose keys? The website you are visiting? The malicious VPN company?
The entire point of user-added root CAs is that they can place themselves between you and whoever you're communicating with and intercept/modify it all. And you're unlikely to be warned about it at all.
Encrypting with the public key of the site I'm visiting, example - google.com. A VPN provider that installed a Root CA without my knowing still wouldn't be able to read the traffic being encrypted with Google's public key. They could see the SNI and see I am visiting Google that's understood. Perhaps that's what the author meant in the passage I quoted above.
And how do you know you're actually encrypting against google.com's public key, and not somebody else's key?
A VPN provider is in the perfect position to MITM all of your traffic, swapping out any site's public keys with their own in real time. If your VPN app has installed an alternative Root CA on your device, you'll get no warning that this has happened.
My understanding was that for Chrome that the CA had to be in the Chrome root store. And that this is what is used over the OS level root store where the VPN providers would be installing theirs. Doesn't Mozilla also ship with its own preferred root store as well?
"If you’re an enterprise managing trusted CAs for your organization, including locally installed enterprise CAs, the policies described in this document do not apply to your CA. No changes are currently planned for how enterprise administrators manage those CAs within Chrome. CAs that have been installed by the device owner or administrator into the operating system trust store are expected to continue to work as they do today."
In other words, locally installed certificates are normally treated as trusted by Chrome.
Thanks. I completely misunderstood that. That makes total sense for an enterprise use case too otherwise it would probably be non-starter for many corporate IT departments.
Just like a normal root CA. Who should i trust better ? Microsoft ? Google ? Facebook ? Nederland's root CA or Ghana's root CA ?
I'm really sure Google only collects data to make better products for _me_.
The point is to use the injected root CA cert for TLS handshakes, then use the VPN to make sure that all traffic goes through a node that can mitm the TLS connections (and I guess they just get the unencrypted traffic for free).
The threat being addressed here is the proliferation of VPNs that also install a local trusted root[1], rogue roots being installed at border crossings[2], and entire countries mandating a MitM root to egress traffic[3].
I do believe they could have done a lot more to improve the developer experience, but this does address a legitimate security concern for millions of users.
1. https://www.techradar.com/news/new-research-reveals-surfshar...
2. https://www.vice.com/en/article/neayxd/anti-virus-companies-...
3. https://www.eff.org/deeplinks/2022/03/you-should-not-trust-r...