Hacker News new | past | comments | ask | show | jobs | submit login

Who decides who gets to be a CA for SSL certs? Similar process. Somehow my browser doesn't recognize a CA that would allow any random person to pretend to be Facebook.



The web browser authors/distributors decide what root CAs will be included in their browsers. So in this case concerning Chrome, Google decides.

Which means Google is still in charge, ultimately.

Which means that this digital signature scheme hasn't actually accomplished anything.


Google controls the entire browser, meaning they are in absolute control, ultimately. They could inject code into your banking web sites, they could block all the porn, whatever they want.

The idea isn't that the certificates would wrest control away from Google, it's that they wouldn't be able to use "omg the malwares" as a shield for their intentions. If there's a root CA that's handing out certs for malware extensions then sure, pull the plug, but if the root CA is handing out certs for ad blockers and Google pulls the plug then it'll be plain as day what they're doing.

Heck, all the browsers nowadays use extensions of some sort, maybe they could form a consortium for extension certifications so no one company would be in complete control. You could bet Mozilla would keep that sort of behavior in check, at least.


> If there's a root CA that's handing out certs for malware extensions then sure, pull the plug, but if the root CA is handing out certs for ad blockers and Google pulls the plug then it'll be plain as day what they're doing.

Pulling a root CA is no more public than blocking an extension from the Chrome Web Store. In both cases it is clear that Google has taken the action, and whoever has gotten blocked can protest it publicly (just like people do now for Apple App Store rejections). The Chrome Web Store doesn't give Google any kind of "cover" or "shield."

Additionally, revoking an entire root CA that was letting malware through (intentionally or unintentionally) would be far more intrusive than pulling a single extension from the Web Store, because every extension that the CA had approved would be affected, even if they were not malware.

What annoys me about this entire thread is that the OP (which was voted to the top of the story's comments) presumes that you can sprinkle some crypto fairy dust and get just as much security against malware without having to give up any control. And it goes so far as to assume bad intentions on Google's part for not doing it. But it's not that easy; crypto isn't a magic wand that lets you have your cake and eat it too.

> (OP:) if security is all they cared about, a signed certificate is all that's necessary.

Um no. It's not that simple.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: