The move, Google says, is the result of diminished confidence and reliability in Chunghwa Telecom and Netlock as CA Owners, due to “patterns of concerning behavior observed over the past year”.
“These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome,” Google says.
Not sure if other browsers and OS would follow suit, but it got me thinking if users should review and revoke CAs from adversaries. I personally did this but it wasn’t a educated decision but rather a instinct.
I think the issue with trying to preen CA’s out yourself is you will end up with a lot of sites giving you a warning in your browser and you’ll eventually just ignore it. Better to let Google and other big companies that have more insight into the behavior of these CA’s decide which ones are trustworthy.
It’s totally fine if you really do heed your browser’s warning, I just think it has the potential to desensitize you to it.
Indeed it is very difficult for people to keep track on, understand, and evaluate root certificate issues. At least I don’t have the capability to do so.
That being said, Root Certificates could be misused by authorities / threat actors to perform attacks, and MS / G / Mozilla usually wait weeks or months to distrust those authorities to mitigate disruptions.
Depending on situation, it could be way too slow. Thats why I chose to basically distust all certificates from my / my potential adversaries.