Isn't it odd that Google would sign their own domains? After all, https is about ensuring your sites's authenticity to your visitor via a trusted third-party certificate. This sounds like it's mostly there to make it difficult to modify content by intermittent parties, such as ads and tracking added by your ISP. As such, "self-signing" by your own root CA would appear as a conflict of interest, and only add to SSL enforcement increasingly seen as gatekeeping.
> Isn't it odd that Google would sign their own domains? After all, https is about ensuring your sites's authenticity to your visitor via a trusted third-party certificate.
Why does it have to be a third party? My understanding is that as a user you just need to trust the certificate and it's owner, and as long as the trust is there it shouldn't matter what that certificate is signing.
> After all, https is about ensuring your sites's authenticity to your visitor via a trusted third-party certificate.
No longer especially that pre-LE, those same third-party sites already broke the rules, even with their EV offerings. Everything has been reduced to "is this domain at least controlled by them?" which is easily auditable (organisational verification has been significantly devalued). Now, Let's Encrypt only verifies domains and not trustworthiness (in fact, they won't revoke certificates known as phishing sites). Also EV certificates are nearly worthless unless you want to bypass many antivirus' HTTPS interception.
No, I don't see it as odd. GlobalSign is the root for Google's certificates, just like DigiCert is the root for Microsoft, and Starfield Technologies (GoDaddy) is the root for Amazon's certificates.
The strange thing is that some companies mix and match - aws.amazon.com is signed with their certificate, while www.amazon.com is signed with a DigiCert certificate. You'll find Microsoft seems to mix certs as well, also using DigiCert for some sites. No clue why this is.
It doesn't really matter which CA signs a certificate, as long as that CA is in the trust root of all major browsers and other clients. Which is the case for google's CA.
