Please note, I am not accusing any specific person of being a government spook
intent on weakening security, but I can’t help notice the parallels in this
situation with what is known about how Internet standards get compromised
Except that's exactly what the author is doing. Otherwise why did I have to wade through the first 50% of this blog post? Palmer's blog on the subject [1] is well-reasoned and makes the motivations for the decision clear. Slepak may not like those reasons, but adding a veiled accusation of stoogery to an otherwise weak rebuttal just makes you look like an asshole.
I'll requote Palmer's fundamental assertion:
However, it is not possible for a low-privilege application to defend against
the platform it runs on, if the platform is intent on undermining the
application’s expectations. To try would be futile, and would necessarily
also violate a crucial digital rights principle: The computer’s owner should
get to decide how the computer behaves. Dell and Lenovo let their customers
down in that way, but for better and for worse, it’s not something that a web
browser can fix.
I can appreciate this argument. Today it's pre-installed certificates, but tomorrow it'll be some malware that hijacks the owner's machine in some other way. If Chrome's responsibilities expand to include the security of the entire system, it would place an impossible burden on its engineers.
What specific person is the Author accusing "of being a government spook intent on weakening security"?
I find Palmer's assertion to be flawed and full of hyperbole and misdirection:
> To try would be futile,
This is like saying that because perfect security is impossible, all security measures are futile.
> and would necessarily also violate a crucial digital rights principle: The computer’s owner should get to decide how the computer behaves
In no way is it necessary to violate that principle (unless you view the hardware manufacturer as the 'owner', which does seem to be an increasingly prevalent view)
> it’s not something that a web browser can fix.
Except that we've had at least 2 specific instances that the computer browser could have mitigated by warning when HPKP is violated.
> Today it's pre-installed certificates, but tomorrow it'll be some malware that hijacks the owner's machine in some other way.
I do not find your 'slippery slope' argument at all convincing. I'm not asking the browser to fix my ACL permissions, I'm asking it to tell me when my OS asks the Browsers to do something that is potentialy insecure (use a certificate other than the one pinned).
> I find Palmer's assertion to be flawed and full of hyperbole and misdirection
yes, we wouldn't want to be hyperbolic, would we.
> This is like saying that because perfect security is impossible, all security measures are futile
No, it's saying security theater is just that, and there would be significant downsides for the stated gain. Where you and he disagree is the magnitude of that gain. You're well within your right to disagree on that, but seriously, let's refrain from being so hyperbolic.
It's not like this was unexpected. This has been noted for years in their security FAQ:
It was also extensively discussed when the Lenovo/Superfish incident happened.
It's also notable that no other browser will reject a connection based on a differing certificate to the pinned one, either, so it's not clear why Chrome is being singled out here. Firefox was only immune here because they don't use the OS's cert store. Superfish happily just injected its certificates in their's too.
The possibility of working around a security measure doesn't make that measure 'security theater' as long as the workaround requires more resources and effort.
> there would be significant downsides for the stated gain.
What exactly are the downsides to the browser notifying a user when a cert different that the one pinned is used? The potential for some confused questions to Antivirus providers and Corporate IT departments?
> but seriously, let's refrain from being so hyperbolic.
What hyperbole did I use? I specified specifically what I found hyperbolic and flawed about Palmer's assertion. You did not.
> it's not clear why Chrome is being singled out
We are discussing chrome because that is the subject of the article in question. Obviously these arguments apply to other browsers as well.
I'll requote Palmer's fundamental assertion:
I can appreciate this argument. Today it's pre-installed certificates, but tomorrow it'll be some malware that hijacks the owner's machine in some other way. If Chrome's responsibilities expand to include the security of the entire system, it would place an impossible burden on its engineers.[1] https://noncombatant.org/2015/11/24/what-is-hpkp-for/