Google has launched its own root Certificate Authority (CA), which will allow the company to issue digital certificates for its own products and not have to depend on third-party CAs in its quest to implement HTTPS across everything Google.

Thus far, Google has been operating as its own subordinate CA (GIAG2) with security certificates issued by a third party. The company will continue the third-party relationship even while rolling out HTTPS across its products and services using its own root CA, said Ryan Hurst, a manager in Google’s Security and Privacy Engineering group. will operate the root CA for Google and its parent company, Alphabet.

It was only a matter of time, as the internet giant is likely tired of various authorities mistakenly issuing incorrect/invalid Google certificates. GlobalSign had a problem revoking certificates last fall that affected the availability of several web properties, and major browser makers led by Mozilla decided to revoke trust in WoSign/StartComm certificates for violations of industry practices. Symantec has been called out for repeatedly generating certificates it is not authorized to, then accidentally leaking them outside the company’s test environment. Now, Google is able to issue verifiable Google certificates, freeing the company from the legacy certificate authority system.

To kick off the move to an independent infrastructure, Google purchased two Root Certificate Authorities, GlobalSign R2 (GS Root R2) and R4 (GS Root R4). It takes a while to embed root certificates into products and for the associated versions to be broadly deployed, so buying existing root CAs helps Google begin independently issuing certificates sooner, Hurst said.

) which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services,” Hurst said.

Developers working on code designed to connect to Google web services or products should plan to include “at a minimum” the root certificates operated by Google as being trusted, but try to keep a “wide set of trustworthy roots,” which include, but are not limited, to those offered through Google Trust Services, Hurst said.

When it comes to working with certificates and TLS, there are certain best practices all developers should be following, such as strict transport security (HSTS), certificate pinning, using modern encryption cipher suites, secure cooking, and avoiding mixing insecure content.

LEAVE A REPLY