Google moves into the Certificate Authority business

Google doesn't seem to trust the current system, as it has launched its own security certificates

Google moves into root Certificate Authority business
Credit: Yuri Samoilov

Google has launched its own root Certificate Authority (CA), which will allow the company to issue digital certificates for its own products and not have to depend on third-party CAs in its quest to implement HTTPS across everything Google.

Thus far, Google has been operating as its own subordinate CA (GIAG2) with security certificates issued by a third party. The company will continue the third-party relationship even while rolling out HTTPS across its products and services using its own root CA, said Ryan Hurst, a manager in Google's Security and Privacy Engineering group. Google Trust Services will operate the root CA for Google and its parent company, Alphabet.

It was only a matter of time, as the internet giant is likely tired of various authorities mistakenly issuing incorrect/invalid Google certificates. GlobalSign had a problem revoking certificates last fall that affected the availability of several web properties, and major browser makers led by Mozilla decided to revoke trust in WoSign/StartComm certificates for violations of industry practices. Symantec has been called out for repeatedly generating certificates it is not authorized to, then accidentally leaking them outside the company's test environment. Now, Google is able to issue verifiable Google certificates, freeing the company from the legacy certificate authority system.

To kick off the move to an independent infrastructure, Google purchased two Root Certificate Authorities, GlobalSign R2 (GS Root R2) and R4 (GS Root R4). It takes a while to embed root certificates into products and for the associated versions to be broadly deployed, so buying existing root CAs helps Google begin independently issuing certificates sooner, Hurst said.

Google Trust Services will operate six root certificates: GTS Root R1, GTS Root R2, GTS Root 3, GTS Root 4, GS Root R2, and GS Root R4. All GTS roots expire in 2036, while GS Root R2 expires in 2021 and GS Root R4 in 2038. Google will also be able to cross-sign its CAs, using GS Root R3 and GeoTrust, to ease potential timing issues while setting up the root CAs.

"Google maintains a sample PEM file at (https://pki.goog/roots.pem) which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services," Hurst said.

Developers working on code designed to connect to Google web services or products should plan to include "at a minimum" the root certificates operated by Google as being trusted, but try to keep a "wide set of trustworthy roots," which include, but are not limited, to those offered through Google Trust Services, Hurst said.

When it comes to working with certificates and TLS, there are certain best practices all developers should be following, such as strict transport security (HSTS), certificate pinning, using modern encryption cipher suites, secure cooking, and avoiding mixing insecure content.

There's no reason why Google can't manage its own root CA, as it has the expertise, maturity, and resources to operate a top-level authority. Google is no stranger to the requirements of a trusted CA, having issued TLS certificates for Google domains over the years, and the company has been very involved in the CA/Browser Forum promoting the "highest level of security for the internet," said Doug Beattie, a vice president at the certificate authority GlobalSign. Google is "well educated in what it means to be a CA," he said.

Google also launched Certificate Transparency, a public register of trusted certificates that can be audited and monitored. While CT originally let Google keep an eye on whether anyone was issuing fraudulent Google certificates, this also means anyone can keep an eye on what kind of certificates Google is issuing. Transparency goes both ways.

That said, Google is becoming a root CA so that it can officially state which services and products are Google. Becoming root CA doesn't mean Google will issue certificates to non-Google parties. If it does, then it's worth going back to discuss whether Google is taking advantage of its massive control over internet infrastructure unfairly. Until then, all Google is doing is saying it is Google.