<div dir="ltr"><div>Clarification, Google Chrome has its own root CA revocation/CRL program. It does still rely on the operating system root CA trust store. <br></div><div><br></div><div>Using a typical intranet/RFC1918 IP space environment as an example, as you might see in any $BIGCORP, if you install your own choice of root CA in the Windows 10 root CA trust store, Chrome's TLS1.2/TLS1.3 access to internal resources that are https only will work flawlessly without any security warnings. Very normal configuration these days. Used for things like DLP in banking/corporate environments or places where the gateway between internal IP space and the public world has a firewall in place with MITM ability for all TLS traffic. <br></div><div><br></div><div>On any windows 10 system with local admin privileges you can manually find this by opening MMC, go to add/remove snap-ins, select the certificates (local computer) snap-in, left side menu browse to trusted root certificates. <br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 11 Mar 2022 at 10:48, Mu <<a href="mailto:mu@zuqq.me">mu@zuqq.me</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-family:arial;font-size:14px">><span></span><span>Mozilla is the only browser vendor these days that
maintains its own independent root CA storage for the browser. Chrome,
Chromium, Safari, Edge, IE etc all use whatever root CAs are trusted by
the operating system. If they can get Windows 10 client PCs pushed to
retail with an image that includes their CA...</span><br></div><div style="font-family:arial;font-size:14px"><br></div><div style="font-family:arial;font-size:14px">Google Chrome has it's own root program, and all vendors have been reliant on Mozilla's setup for some time. They don't just blindly trust the OS.</div><br><div style="font-family:arial;font-size:14px"><br></div><div>
------- Original Message -------<br>
On Friday, March 11th, 2022 at 1:34 PM, Eric Kuhnke <<a href="mailto:eric.kuhnke@gmail.com" target="_blank">eric.kuhnke@gmail.com</a>> wrote:<br><br>
<blockquote type="cite">
<div dir="ltr"><div>Considering that 99% of non-technical end users of windows, macos, android, ios client devices <i>have no idea what a root CA is,</i> if an authoritarian regime can mandate the installation of a government-run root CA in the operating system CA trust store of all new devices sold at retail, as equipment is discarded/upgraded/replaced incrementally over a period of years, they could eventually have the capability of MITM of a significant portion of traffic. <br></div><div><br></div><div>Presumably with Apple ending shipment of new MacOS devices to Russia and retail sales of new devices, this wouldn't be so much of an issue with MacOS. The process of re-imaging a modified MacOS install .DMG onto a "blank" macbook air or similar with a new root CA included would be non trivial, and hopefully might be impossible due to crypto signature required for a legit MacOS bootable install image. <br></div><div><br></div><div>Mozilla is the only browser vendor these days that maintains its own independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, IE etc all use whatever root CAs are trusted by the operating system. If they can get Windows 10 client PCs pushed to retail with an image that includes their CA...</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Thu, 10 Mar 2022 at 18:27, Dario Ciccarone (dciccaro) via NANOG <<a href="mailto:nanog@nanog.org" rel="noreferrer nofollow noopener" target="_blank">nanog@nanog.org</a>> wrote:<br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">I think the point Eric was trying to make is that while, indeed, the initial, stated goal might be to be able to issue certificates to replace those expired or expiring, there's just a jump/skip/hop to force installation of this root CA certificate in all browsers, or for Russia to block downloads of Firefox/Chrome from outside the Federation, and instead distribute versions which would already include this CA's certificate. And then MITM the whole population without their knowledge or approval.<br>
<br>
GIVEN: savvy users might know how to delete the certificate, or others may teach them how, and how to download other CA's certificates (if the government was to ship only this certificate with the browser). Cat and mouse game. The North Korean and Chinese governments have been doing these kind of shenanigans for a long time - I am sure Russia could copy their model. And considering the tight media control they’re already exercising, I don't think it is crazy or paranoid to think Internet will be next. They seem to be already going down that path.<br>
<br>
PS: opinions and statements, like the above, are my very own personal take or opinion. Nothing I say should be interpreted to be my employer's position, nor be supported by my employer. <br>
<br>
On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" <nanog-bounces+dciccaro=<a href="mailto:cisco.com@nanog.org" rel="noreferrer nofollow noopener" target="_blank">cisco.com@nanog.org</a> on behalf of <a href="mailto:sean@donelan.com" rel="noreferrer nofollow noopener" target="_blank">sean@donelan.com</a>> wrote:<br>
<br>
On Thu, 10 Mar 2022, Eric Kuhnke wrote:<br>
> I think we'll see a lot more of this from authoritarian regimes in the<br>
> future. For anyone unfamiliar with their existing distributed DPI<br>
> architecture, google "Russia SORM".<br>
<br>
Many nation's have a government CA.<br>
<br>
The United States Government has its Federal Public Key Infrastructure, <br>
and Federal Bridge CA.<br>
<br>
<a rel="noreferrer nofollow noopener" href="https://playbooks.idmanagement.gov/fpki/ca/" target="_blank">https://playbooks.idmanagement.gov/fpki/ca/</a><br>
<br>
If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your <br>
computer needs to have the FPKI CA's. You don't need the FPKI CA's for <br>
other purposes.<br>
<br>
Some countries CA's issue for citizen and business certificates.<br>
<br>
<br>
While X509 allows you to specify different CA's for different purposes, <br>
since the days of Netscape, browsers trust hundreds of root or bridged CA <br>
in its trust repository for anything.<br>
<br>
Neither commercial or government CA's are inherently more (or less) <br>
trustworthy. There have been trouble with CA's of all types.<br>
<br>
A X509 certificate is a big integer number, in a fancy wrapper. Its not a <br>
magical object.<br>
<br>
</blockquote></div>
</blockquote><br>
</div></blockquote></div>