For historical reasons (viz. NSS), Mozilla maintains its own list of trusted CAs. Chrome uses whatever is provided by the OS, so they aren't in a position to make the same sorts of demands.
Not that I disagree with the sentiment -- there's just a very specific reason why Mozilla is involved, and it's not simply because they write a web browser.
Chrome already has a mechanism to detect a MITM for Google's servers by embedding those servers' public keys into Chrome itself.
Of course, that doesn't stop a company from placing locally-trusted rogue certificates on computers they control, overriding Chromes public-key pinning check. But it means that they can't MITM a connection from your personal laptop when you're on their network.
duskwuff|14 years ago
Not that I disagree with the sentiment -- there's just a very specific reason why Mozilla is involved, and it's not simply because they write a web browser.
nknight|14 years ago
joshtalon|14 years ago
Of course, that doesn't stop a company from placing locally-trusted rogue certificates on computers they control, overriding Chromes public-key pinning check. But it means that they can't MITM a connection from your personal laptop when you're on their network.