Google to Operate Its Own Root Certificate Authority for a More Secure Web
HTTPS is the foundation of a more secure web, Ryan Hurst from Google's Security and Privacy Engineering wrote in a blog post today. And to support Google's work to implement HTTPS across all of its products, Google has been operating its own subordinate Certificate Authority (GIAG2), issued by a third-party.
Google announced that the company will now be operating its own Root Certificate Authority to further support the implementation of HTTPS across all of its products.
Google to operate its own Root Certificate Authority to increase product security
The company has also established Google Trust Services to operate these Certificate Authorities on behalf of Google and Alphabet. GTS will be responsible for authenticating the identity of websites to ensure rapid handling of SSL/TLS certificate needs of its products.
"It is clear HTTPS will continue to be a foundational technology," the announcement read. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority." Google has bought two existing Root Certificate Authorities, GlobalSign R2 and R4 to be able to immediately begin independent certificate issuance.
Today's announcement is another confirmation that the company is taking a keen interest in the security structure that is used to verify a website's identity. However, some are already talking about putting all eggs in one basket. "I have no love for most the major CAs I've interacted with, but this feels wrong, though I can't quite pinpoint why," algesten wrote on Hacker News. "Perhaps just a general feeling that all the internet eggs are being put, one by one, in one single alphabet basket."
"You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the Internet," another user quipped.
While this doesn't mean any changes for the end users, developers who are building products that interact with Google service will have to include the new Root Certificates. The announcement is shared below for more information.
In support of our work to implement HTTPS across all of our products (https://www.google.com/transparencyreport/https/) we have been operating our own subordinate Certificate Authority (GIAG2), issued by a third-party. This has been a key element enabling us to more rapidly handle the SSL/TLS certificate needs of Google products.
As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority. To this end, we have established Google Trust Services (https://pki.goog/), the entity we will rely on to operate these Certificate Authorities on behalf of Google and Alphabet.
The process of embedding Root Certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later.
We intend to continue the operation of our existing GIAG2 subordinate Certificate Authority. This change will enable us to begin the process of migrating to our new, independent infrastructure.