When it comes to privacy, you can safely assume whatever side Google is on is the wrong one, and the one everyone else is on is probably costly to Google's web domination plans.
So you're opposed to TLS strengthening measures like certificate transparency? Because i think its pretty good for privacy.
Blind google hate is just as bad as blind google fanboyism. Google does plenty for internet privacy, especially in the parts that don't affect its underlying business model, which is a big part of the privacy space.
Google's interest in PKI is explicitly around it's desire to block competitive advertising interests. Which is to say, if Google is the one decrypting all your TLS traffic on your PC (which it is), it's very happy to push TLS, because it gates out other network providers from analyzing your network activity the way they actively do. Google is extremely financially vested in killing off Comcast and Verizon's advertising businesses.
Furthermore, Google's been utilizing that stewardship of Chrome to set up a situation where they dictate terms to the entire PKI industry, including their ability to unilaterally terminate certificate authorities... while conveniently setting up their own root CA as well.
Which is to say, yes, TLS is just another strategy Google has to take over complete control of the Internet from formerly decentralized approaches, and it should be considered a direct threat to everyone.
> So you're opposed to TLS strengthening measures like certificate transparency? Because i think its pretty good for privacy.
Considering that the cost of getting CT was the removal of RFC 7469 HTTP-based PKP "dynamic pins" (aka HPKP), I am not sure if there was a net benefit to privacy - without hate or love for Google.
I can't fail to notice that intent to removal was to also remove "static pins" (i.e. pins harcoded into the browser) after CT requirement for all certificates was implemented [0], Chrome started checking CT for new certificates [1] and CA Forum has limited the maximum validity of certificates issued to 39 months (2016) -> 825 days (2018) -> 398 days (2020) [2] (which means pretty much all certs from 2017 would have been reissued by now!), yet static pins for certain "favoured" organisations remain in the Chromium code [3].
That list of favoured orgs? Google, Tor project, Twitter, Dropbox, Facebook, Spideroak, Yahoo and Swehack.
CT is great for transparency and tracking rogue certs - but privacy could have used a stronger model than current blind trust in the CAs (and only acting afterwards if the trust proves misplaced).
A standard used by nobody does nothing for privacy. I also dont really see the connection - we could have both if that was desired, they solve similar problems but they don't conflict with each other. HKPK wasn't removed to make way for CT, it was removed because it did not work in practise.
The reasoning on this is a bit circular: it was "used by nobody" because Google did not use it, because it had a static pin in both Chromium-based browsers and in Mozilla [0], resulting in high success rate in tests (they note it in their blog post that very high sucess rate is reported if static pins are on, but very low if they are ignored). There is also the problem that MS and Apple never bothered to implement it.
They had a chance to go forward and implement HPKP protocol in parallel with CT, they didn't. They had a chance to go with other proposals - e.g. checking the CAA records (a proposal they themselves have made in the deprecation post, especially as CA certs are also well-known and pinned), they didn't. They chose an option that works best for Google (and by extension: Facebook, Dropbox, etc), but not so much for everyone else.
This means is there is no way to spot a mis-issued certificate before it has been used - and you need to trust that the specific CA that issues it both adheres to transparency (pinky promise!) and obeys CAA (also, pinky promise - LetsEncrypt got in hot water when it didn't). That is: unless you are Google or Dropbox or Twitter - then your browser will actually save you from connecting to any counterfeit site, as that is what was important for Google.
End result? Privacy is enhanced if you are lucky enough to be on the list of statically pinned sites (see my parent comment, and see the Mozilla version as well), everyone else only gets more transparency, but not stronger privacy.
Depends. When they were struggling with the CCP, eventually getting all their services blocked in Mainland China, I don't think so. There are more examples of situations were Google really does take the other side of the table. It's not helpful to reducing it to these extremes.
If they really wanted to fight for freedoms instead of searching a viable way to have profits in China, they wouldn't secretly start Dragonfly, which was only halted after its employees demanded it. So, they really really did want to operate in China, no matter the human rights situation there, they just did not think it through to concede enough things back then. They were ready later, hence Dragonfly happened.
Not really. They're always evil, it's just occasional their evil coincides with interfering with another evil.
Google's issue with China has never really been human rights. Google's issue with China is that it insists on access to data and algorithms, and while Google does not care about your privacy, Google cares a great deal about it's own privacy.
I think current Google would have made a significantly different decision than past Google. It's been a while since I've seen them make an altruistic choice that has cost them significantly the way losing China did.
