Google Cracks Down On Web Security With Own Own Root Certificate Authority

Roland Moore-Colyer,
virtual machine network security browser web map © Sergey Nivens Shutterstock

Google takes another step towards driving the adoption of HTTPS

Google is further clamping down on web security by opening its own Root Certificate Authority, designed to authenticate the identity of websites and handle the SSL/TLS certificate requirements of Google products.

For some time Google has been operating its own subordinate Certificate Authority (GIAG2). But, in a bid to push the adoption of the more secure HTTPS protocol over the older HTTP, Google is expanding its efforts to boost web security with the new Root Certificate Authority, which will be handled by its new Google Trust Services division.

Rooting out insecure websites

Root Certificates“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority,” said Ryan Hurst from Google’s security and privacy engineering division.

“The process of embedding Root Certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later.”

For users of Google’s services and its Chrome browser, the implementation of the new certificates will not cause much disruption. But to web and software developers, the move presents a need to work to meet the standards of Google’s certificates, which could slow the speed at which they can produce new products and updates.

Google appears to be on a push to take a no-holds-barred approach to web security having announced it will block JavaScript file attachments in Gmail, and essentially shame websites using the insecure HTTP web protocol.

Others are following suite, including Mozilla with its Firefox 51 browser which will highlight HTTP websites in order to warn its users of the cyber security risks they may face when visiting such sites.

Are you a security pro? Try our quiz!