"If you are building products that intends to connect to a Google property moving forward you need to at a minimum include the above Root Certificates."
The foundation of a more secure web apparently requires you to trust Google with the entire internet, using their properties as leverage to force it to be so.
Is Google less trustworthy than Go Daddy? Or CNNIC? Or the Hong Kong Post Office? Yes the CA system is broken but framing that as an anti-Google argument seems silly.
I agree in principle, but currently every CA is a single point of failure for the entire Internet, so adding more CAs makes things worse rather than better. We need something like DNSSEC/DANE to enable actual decentralization (where the Hong Kong post office could only sign Hong Kong domain names and so on).
I would like to see a single responsible CA for each domain (which are allowed to hierarchically delegate). Country-specific agencies should only be able to sign domains within their country, and .com addresses (which should be reserved for genuinely international sites, though that's a separate argument) should be handled by an international CA that can a) apply some consistent international standard for how domain owners are identified etc. and b) be specifically held accountable for dodgy .com certificates
So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?
Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.
> So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?
Domains can compete with each other, particularly given the big opening up of TLDs. We could have actual competition between CAs at the end-user-facing level because it'd be visible to the user who the CA was (the CA and the registry ought to be merged - at the moment they're two parallel sets of infrastructure for doing the same thing), and if particular domains/CAs had poor-quality identity checking users might actually start to notice. As opposed to today, where the only one who knows which CA a domain might be using is the domain owner, and so the incentive largely is for the CA to do as little checking as possible.
> Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.
There's a migration path. Enable DNSSEC/DANE with all CAs authorized for all domains initially, then allow countries / TLD owners to start restricting who can sign certificates for their domains. If Hong Kong moved to requiring only Hong Kong Post Office to sign their domains, we could see how well or badly that model works - if it reduces phishing / spying then other countries will follow the same, if it stifles innovative internet businesses then they'll move away from that. But 150+ entities all having the power to own every site on the internet can't possibly be the right model.
So any sufficiently good product is monopoly, assuming that they are goodness is beyond the threshold to be favored by the majority of customers.
What do you want to say about Google's monopoly? Are Google going to hurt others and throttle effective competition? Was there any competition in CA market at all?
I didn't make a claim if they were trustworthy. Google has leveraged their properties to force people to trust them with the rest of the internet, regardless of if you think they are trustworthy or not.
"Google has leveraged their properties to force people to trust them with the rest of the internet"
Google saw the dismal situation of Internet CA, and forces internet to move to a better situation. Forcing people behave better is a good thing, IMHO. If you think other way around, there will not be a common ground for discussion between you and me.
It basically Google scratching their own itch and their PR people having to polish this stuff by inserting expressions like "more secure" and "moving forward".
It's disgusting but pretty much corporate life 101.
Actually it does address your point about trust; CT severely limits the amount of trust we need to place to any single participating CA, including now Google.
I think it's related? Since certificate transparency is a way of watching what's going on with all certificate providers (or at least the ones that use it), an organization that thinks Google's root is up to no good has a way of checking.
It's after the fact, to be sure, but it matters for reputation.
I've noticed this just starting to happen to me much more aggressively in the last few days. Now the Gmail app will pop up that same modal box in your screenshot every time I make the Gmail app have focus (from the home screen or from the square-button-menu), and every time I open any email.
None of the Google apps respect me. The maps app makes me disagree to giving enhanced location tracking every time I turn on location. The music player has a big bar constantly at the top that says "Downloaded Only," which if I accidentally tap it turns off downloaded only mode and kicks me to the store. If I leave location on accidentally, the camera app will sometimes use location to guess where I took a picture and ask me to "share" that. I don't use Google search, but I can't remove the giant search bar from the main screen or the shortcut if I accidentally hold the menu button.
Those are the only Google apps I use, and they all disrespect me. I only use a bit of Google but it's exhausting to even use just that bit.
Maps and location services is specially annoying. For example, try to disable "Wifi scanning even when Wifi is off". Now every time you open Gmaps, it will nag you. Every single time. Even though it works perfectly fine without it.
Yes, just gave Google Maps as an example but I'm experiencing the same with Gmail and others. It's starting to become very annoying.
My biggest concern is, even if I trust Google Services to have access to all of those requested permissions (consequently allowing the designated app Gmail, Maps, etc to access them) will these resources (permissions granted) be available to any app using Google Services?
Comcast (a BB sponsor) is holding a contest in which you design your own virtual apartment in "Comcast Town." They invited Boing Boing to judge but, even more fun, they asked us to suggest some Boing Boing furniture that people could use to decorate their pads! Above is the living room I designed. (I'm obviously not eligible to win. Sniff, sniff.) Notice the steampunk computer, carnivorous plant, and Flying Spaghetti Monster statue. I think the illustrator did a terrific job. In fact, I wish it was my real living room! The grand prize winning design gets a real-world room remodel, 40-inch HDTV, a new laptop, and a digital phone. I'm just helping select the ten finalists -- then it's up to The People.
Thanks Louis :) I've put so many hours on NGG it's ridiculous. Childhood and current favorite, great full-package game at its best. Set it at a steep pitch with no outlane post and Fire Down Middle on. Full throttle, ignore the wall!
About that last line. It actually has a double meaning. I don't think Pat has ever discussed it.
First one was that Pat is a big NASCAR fan (we were trying to get that license even back in the Williams days). So that's an obvious one. Pedal down and turn left!
The second one was a dig at Williams management. Pat had tried to reason with them to not overproduce games and/or stuff them down the throats of distributors. Forcing weak games on customers and stuffing the pipe was bad for business and things had already taken a serious turn for the worse business-wise (and we were still a full 2 years before shutdown).
IIRC, the conversation with management was "if you don't slow down we're gonna hit the wall" and the reply was "f* it, full throttle!" This is why Pat hid that text in the back loop where nobody would really see it.
Also, flipper EOS switches are leaf switches, not microswitches.
Through the early 90s the flipper button switches were also leaf switches. In the early 90s some time after the introduction of the Fliptronics system by Williams/Bally, they switched to using a plastic opto-interrupter and U-shaped opto(s) rather than a leaf switch.
Games with upper flippers often used ganged leaf switches and later dual optos to allow independent "staged" control of lower and upper flippers on the same side of the machine. That allows you to press the flipper button in half way to engage only the lower flipper, and then all the way to also engage the upper flipper(s).
The foundation of a more secure web apparently requires you to trust Google with the entire internet, using their properties as leverage to force it to be so.