(no title)
negidius | 2 years ago
No one is going to kick down your door and shoot you if you try to make a new browser or OS from scratch, like they would if you tried to make a new government, but there is really no reason to make a browser from scratch.
Microsoft didn't need to trust Google to fork Chromium, they didn't give up any power to Google and have exactly the same ability to influence web standards as if they had reinvented the browser. If they disagree with a choice the Chromium developers made, they can change it and keep the rest. The same applies to anyone who wants to do the same.
When it comes to certificate authorities, you don't even need to modify the browser or OS because they already allow you to add and remove authorities. The main reason people don't tend to do that is because they have no reason to. If you tried to start a new one, the natural thing to ask would be why I should trust you over the established certificate authorities. If your answer is that I don't have a choice because you have the backing of an army and police force that you will use against me if I don't, it doesn't exactly fill me with confidence.
The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of. Compared to governments, they are also much safer to trust because they rely on consent rather than force. A compromised or malicious certificate authority won't shoot you for trying to replace it, it has no enforcement mechanism beyond inertia.
lmm|2 years ago
They're already starting to make it more difficult. Look at what's happening with DoH where it's harder and harder to choose how your DNS queries get done and you get steered to CloudFlare (who are pretty low on my list of entities I want to trust) instead. Now that browsers have mostly succeeded in forcing HTTPS everywhere, expect them to start turning the screws.
> The current certificate authorities don't need to threaten anyone with violence to secure their position, and they operate with significantly more transparency than any government I know of.
Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?
negidius|2 years ago
DoH doesn't interfere with your ability to choose your own DNS provider. It only means that your DNS queries are between you and your DNS provider, free from the interference of your ISP and other third parties. It provides greater user freedom because your ISP cannot as easily force you to use their DNS provider. Nothing stops ISPs from offering DoH and some (e.g. Comcast) do offer it. Users may however benefit from using a DNS that's not affiliated with their ISP because ISPs are more vulnerable to censorship demands from governments. Usually, when a government demands that an ISP censor a website, the ISP will simply block DNS queries regarding that domain, allowing users of other DNS providers to escape the censorship. This may of course not be a long-term solution, as governments may be more likely to demand different censorship methods if fewer use the IPS DNS.
As far as I'm aware, no one has suggested that DoH should be mandatory. It is a sensible default that improves the privacy and security of most users, but a user who decides that they do not want to use DoH can simply opt out in the settings. Likewise, HTTPS is not mandatory either, and browsers will not prevent users from accessing unsecure sites. They will however warn users to make sure they are aware of the risks. As far as I'm aware, browser vendors do not benefit from users using HTTPS everywhere. They encourage its use because it is generally beneficial to users.
> Really? Can I make a FoI request to find out why a CA refused to issue a certificate to a particular entity? Is there a right of appeal if they refuse to issue a certificate on discriminatory grounds?
A FoI request is just asking the government to give you information. They will never intentionally give you anything they do not want you to have. FoI laws tend to contain enough exceptions to cover any situation, but even if you should legally receive the information, there is nothing you can realistically do to make them provide it to you. Similarly, you can ask any organization for any information, and they can refuse. The same is true with appeals. You can ask an organization to reconsider its decision and for someone else in the organization to look at it, but the decision remains within the organization. The difference is what you can do once the decision has been finally made. Will the decision maker try to force me to adhere to their decision through violent means, or am I free to ignore them and try to convince others to do the same?
The main difference regarding transparency is that more information is made public by default in the current system (what good is the ability to request information if you don't even know that the thing you wanted to request information about happened?) and that decisions are made by several separate entities that need to justify their decisions to each other in order to maintain consensus.