Google says its Chrome browser will stop trusting certificates from two certificate authorities after “patterns of concerning behavior observed over the past year” diminished trust in their reliability.
The two organizations, Taiwan-based Chunghwa Telecom and Budapest-based Netlock, are among the dozens of certificate authorities trusted by Chrome and most other browsers to provide digital certificates that encrypt traffic and certify the authenticity of sites. With the ability to mint cryptographic credentials that cause address bars to display a padlock, assuring the trustworthiness of a site, these certificate authorities wield significant control over the security of the web.
Inherent risk
“Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” members of the Chrome security team wrote Tuesday. “When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”
Google’s Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. Google’s preliminary copy suggests it’s an “AI innovation,” though exactly how is unclear.
Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, “Automated password Change” (so, early stages—as to not yet get a copyedit), is described as, “When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in.”
Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google’s Password Manager and “is encrypted and never seen by anyone,” the settings page claims.
If you want to see how this works, you need to download a Canary version of Chrome. In the flags settings (navigate to “chrome://flags” in the address bar), you’ll need to enable two features: “Improved password change service” and “Mark all credential as leaked,” the latter to force the change notification because, presumably, it’s not hooked up to actual leaked password databases yet. Go to almost any non-Google site, enter in any user/password combination to try to log in, and after it fails or you navigate elsewhere, a prompt will ask you to consider changing your password.
Chrome users who declined to sync their Google accounts with their browsing data secured a big privacy win this week after previously losing a proposed class action claiming that Google secretly collected personal data without consent from over 100 million Chrome users who opted out of syncing.
On Tuesday, the 9th US Circuit Court of Appeals reversed the prior court’s finding that Google had properly gained consent for the contested data collection.
The appeals court said that the US district court had erred in ruling that Google’s general privacy policies secured consent for the data collection. The district court failed to consider conflicts with Google’s Chrome Privacy Notice (CPN), which said that users’ “choice not to sync Chrome with their Google accounts meant that certain personal information would not be collected and used by Google,” the appeals court ruled.
Rather than analyzing the CPN, it appears that the US district court completely bought into Google’s argument that the CPN didn’t apply because the data collection at issue was “browser agnostic” and occurred whether a user was browsing with Chrome or not. But the appeals court—by a 3–0 vote—did not.
In his opinion, Circuit Judge Milan Smith wrote that the “district court should have reviewed the terms of Google’s various disclosures and decided whether a reasonable user reading them would think that he or she was consenting to the data collection.”
“By focusing on ‘browser agnosticism’ instead of conducting the reasonable person inquiry, the district court failed to apply the correct standard,” Smith wrote. “Viewed in the light most favorable to Plaintiffs, browser agnosticism is irrelevant because nothing in Google’s disclosures is tied to what other browsers do.”
Smith seemed to suggest that the US district court wasted time holding a “7.5-hour evidentiary hearing which included expert testimony about ‘whether the data collection at issue'” was “browser-agnostic.”
“Rather than trying to determine how a reasonable user would understand Google’s various privacy policies,” the district court improperly “made the case turn on a technical distinction unfamiliar to most ‘reasonable'” users, Smith wrote.
Now, the case has been remanded to the district court where Google will face a trial over the alleged failure to get consent for the data collection. If the class action is certified, Google risks owing currently unknown damages to any Chrome users who opted out of syncing between 2016 and 2024.
According to Smith, the key focus of the trial will be weighing the CPN terms and determining “what a ‘reasonable user’ of a service would understand they were consenting to, not what a technical expert would.”
Matthew Wessler, a lawyer for Chrome users suing, told Ars that “we are pleased with the Ninth Circuit’s decision” and “look forward to taking this case on behalf of Chrome users to trial.”
A Google spokesperson, José Castañeda, told Ars that Google disputes the decision.
“We disagree with this ruling and are confident the facts of the case are on our side,” Castañeda told Ars. “Chrome Sync helps people use Chrome seamlessly across their different devices and has clear privacy controls.”
