The Chrome Root Store aims to improve browser interoperability across different operating systems

Google intends to launch a dedicated Chrome certificate root store to improve the verification of Certificate Authorities (CAs) and the security certificates they issue.

In an article posted to the Chromium Project, last updated November 2, Google said the upcoming transition will mean that Chrome will no longer integrate with root stores provided by operating systems vendors such as Microsoft and Apple.

Google Chrome currently uses operating system (OS) root stores to access CAs and the certificates they issue to websites. Certificates are used to authenticate web domains and ensure HTTPS connections are secure.

When there are compatibility issues this can impact users who are then confronted with error notices. Weeding out fraudulent CAs or hijacked certificates - used for malicious purposes such as performing Manipulator-in-the-Middle (MiTM) attacks - is also key to protecting browser users.

The Chrome Root Store will establish a “common implementation on all platforms” available for use by Android, Chrome OS, Linux, Windows, and macOS for trusted CAs, and verified by Google.

“This will ensure users have a consistent experience across platforms, that developers have a consistent understanding of Chrome's behavior, and that Chrome will be better able to protect the security and privacy of users' connections to websites,” Google explained.

Apple’s iOS is the exception to this major change, as the iPad and iPhone maker’s policies will prevent the Chrome Root Store from operating.

Root and branch

Google’s new program is similar to others already in operation, including Mozilla’s Root Program for Firefox and related products.

Not every CA will be included in the initial launch of the Root Store or default Chrome installations. Google says that during the transition period, CAs will be selected that have worked with Chrome in the past and operate on the “majority” of supported platforms, in the hopes this will minimize disruption for end-users.

Chrome will also refer to information supplied by the Common CA Certificate Database (CCADB).

Some CAs will be prioritized for the inclusion of new certificates, such as those that are already “widely trusted” and have a timely replacement record; CAs who conduct audits every year, and CAs who only issue TLS server certificates.

If certificate authorities do not meet the criteria Google has set for inclusion, the company says that they will be dealt with on a “case-by-case basis”.

Google also reserves the right to remove CA certificates from the Root Store if they are considered compromised or a threat to user safety and privacy.

“The selection and ongoing membership of CAs is done to enhance the security of Chrome and promote interoperability; CAs that do not provide a broad service to all browser users are unlikely to be suitable,” the tech giant says.

Google added that during the transition period, CAs should “continue to work with the relevant vendors of operating systems where Chrome is supported” in order to minimize the possibility of disruption or compatibility issues for end-users.

RELATED Chrome Galvanizer released on GitHub to boost Chrome extension security