Ability to ignore local trust store - making it a setting/config

59 views
Skip to first unread message

Subramanian Krishnan

unread,
May 27, 2024, 2:06:42 PMMay 27
to Chromium-discuss

With reference to:  https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#will-the-chrome-certificate-verifier-consider-local-trust-decisions

>>Will the Chrome Certificate Verifier consider local trust decisions?

>>On Windows, the Chrome Certificate Verifier will automatically consume certificates added to the following certificate stores:

>>On macOS, the Chrome Certificate Verifier will automatically consume certificates added to the following certificate stores:

It would be useful to have a way to turn-off this default/automatic consumption of certificates from local store. 

For devices where users control the local trust store, this creates a potential security issue. 

Having the ability to turn the local trust consumption off can help secure the browser. An example use case is where the browser is corporate managed and therefore end users will not be able to turn the setting back to default. 

This will go a long way in protecting the user from attacks using untrusted certificates.

Even otherwise have the setting turned to off by default and making local store consumption an opt-in will help prevent attacks.

Would love to hear thoughts/advice regarding this.


Reply all
Reply to author
Forward
0 new messages