You trust the hw vendor, the os vendor and the browser vendor - and you trust the CA. Google already had two out of four in many cases. You're not safe from the OS vendor by using a different browser, or CA.
I'd also note that, in the wake of recent fiascos like Startcom/Wosign, Symantec, and Trustico, browser manufacturers are going to be extremely wary of new CAs -- and especially of ones operated by companies with no history in security.
They're already breaking the chain of trust. One of the EU's TSPs was dis-trusted by Mozilla after a long history of misissuance and BR violations. This isn't hypothetical; the EU is mandating the inclusion of insecure CAs.
It wouldn't just be the browsers removing the CA. There would be a strong incentive for websites to switch as well, particularly foreign ones, so you'd find a mass exodus anyway, even without browser support.
Browsers don't have to turn a root CA off all at once, either. They could start by turning off Extended Validation for the compromised CA, or they could release a statement saying that if they don't get guarantees this won't happen again, they'll remove the CA in a year's time. They could allow connections, but change the SSL icon to indicate the certificate has been compromised. Browsers have a lot of options to put pressure on root CAs, even without removing the cert.
We seem better off having the browser vendors bring the hammer down on CAs that are issuing bad certificates. Regular people don't know enough to make valid decisions about which CAs to trust, and I don't think they should have to know either.
The bottom line is that you can no longer trust that green lock icon in your browser’s address bar. And that’s a scary, scary thing.
What's even scarier? Not being able to inspect the traffic your own machine sends or receives because the powers that be have decided that, due to Superfish and all this other unwanted MITM'ing software, to "improve security", certificate stores will be locked down so well that only the "trusted authorities" (i.e., they) can modify them.
As long as users (and by extension, the software they run) can modify the certificate store this "problem" will exist, but as this article shows, it's not hard to add and remove certificates, and thus effectively "choose who you trust". The alternative, to have no choice in who you trust, is far worse. I just hope that the security community realises this, but if things continue moving in the direction they currently are, I'm not so optimistic.
Incidentally, I also use a local MITM proxy, but to remove ads and other crap.
Not only that, but the ability by browsers to validate end-to-end depends wholly on browsers trusting CAs. I'd say that is a lot worse of a trust-level.
If you create your own CA it's not trusted by your browser. Intermediate chains have nothing to do with it because at the end of the chain is no trust.
It's a more plausible scenario, to me, that browsers will become more strict w/ CA verification. Non-technical users will be permitted easy access to resources secured by third-party-signed certificates. They'll be forced to plumb into the confusing depths of their browser / OS to make changes that would allow access to resources protected with untrusted certificates (assuming they're even allowed to make such changes, which I think will also eventually be taken away).
Nobody in the industry wants anything locally-hosted by end users to work well. Locally-hosted means not "cloud"-hosted. That means no sweet, sweet recurring subscription revenue stream or centrally-stored user data to "monetize".
It's the same kind of non-trust you (and others) assert over CAcert.
See how well that model worked with Comodo and TurkTrust - both of which are still in business and in default CA lists, which is counter to your assertion that careful CA operation makes business sense.
Unfortunately there's no will with browser vendors to _really_ improve matters (maybe TACK?), so something like CAcert is great should it get implemented (providing some heat to CA providers) and even when not (by showing the browser vendors' hypocrisy).
reply