

Google Play (Android App Store) does not work at all unless you enable Equifax - pjbrunet
https://twitter.com/php_austin/status/349751588090421250
I&#x27;m using ICS.  Go and disable the certificates yourself and see if you can confirm it.
======
GaryGapinski
Pull up [https://play.google.com/store](https://play.google.com/store) in a
browser and look at the TLS certificate chain.

Equifax Secure CA is the root CA for the certificate chain.

The intermediate CA (Google Internet Authority) issues the certificate for the
end entity. Its CRL distribution point is
[http://crl.geotrust.com/crls/secureca.crl](http://crl.geotrust.com/crls/secureca.crl).
There is no OCSP resource.

The end-entity certificate is wild-carded for a number of Google sites. Its
CRL distribution point is
[http://www.gstatic.com/GoogleInternetAuthority/GoogleInterne...](http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl).
There is no OCSP resource.

The relying party would validate the end-entity and intermediate CA
certificates using CRLs (as no OCSP is available). These requests would be the
only "data" sent as part of the certificate validation.

As the root CA is explicitly trusted (since it is present in the trust anchor
compilation), it (Equifax Secure CA) is not contacted.

Explicitly removing trust for arbitrary root CAs (which can be prudent) will
of course remove trust for end-entity certificates traceable to those CAs.
Thus, if one removes trust for Equifax Secure Certificate Authority, one will
no longer trust certificates issued by Google Internet Authority, such as the
one used by [https://play.google.com/store](https://play.google.com/store).

Trust via contemporary CA compilations and relying party PKI implementations
is quite coarse. One essentially trusts all all CAs and subordinate
certificates for a variety of purposes. Implementations vary in precision (or
even presence) of revocation and constraint checking.

~~~
pjbrunet
I don't think it's just a coincidence or necessarily a secret:

"Equifax Inc. (EFX), EBay Inc.'s (EBAY) PayPal and Intuit Inc. (INTU) have
beguntrials to see whether social posts can help prove identities,and, in some
cases, detect whether customers are lying abouttheir finances."
[http://finance.yahoo.com/news/facebook-posts-help-credit-
bur...](http://finance.yahoo.com/news/facebook-posts-help-credit-
bureaus-040100420.html)

Actually I remember blogging about this years ago, back when Myspace was at
its peak. So it's not news. I'm just wondering if Google has revealed what
data it reports to Equifax, if any. And if that's the case, I think the next
question is: What sort of app activity will help improve your credit?

------
morkfromork
Is there another tweet that explains this tweet?

~~~
pjbrunet
No, I just discovered this moments ago and posted it. I had disabled a lot of
my security certificates the other day and then realized I couldn't get into
Play. So I added just about all the certificates back except the creepy ones
like "Japanese Government". Well, Google Play still didn't work.

So I was just watching a movie at home and this was my process:

1\. Enable creepy certificate. 2\. Try Play. 3\. Play doesn't work? Re-disable
creepy certificate. Go to #1 (Try next creepy certificate.)

That's not to say Equifax is the ONLY certificate you MUST have to use Play.
But it appears it's at least ONE of the required certificates. If I was really
bored and had several hours to blow I suppose I could figure out which
certificates are mandatory.

The annoying thing is, Google makes you tick a checkbox, then scroll, then
Enable, then Confirm (four steps) for each certificate. So it's very time-
consuming. Maybe easier to toy with the certificates if you have root access
to your phone, which I haven't bothered to do yet.

------
wmf
So? Is that a problem?

~~~
pjbrunet
I'm no expert, but seems like a big deal for all Android phones to report to a
major credit bureau that determines whether you can rent an apartment, buy a
house, get a job, a promotion, etc.

Not only that

a) It's mandatory, not something you can turn off. Unless you want no apps on
your phone.

b) There is no error message saying "Could not connect to Equifax." It just
asks if you want to "Retry" starting the app.

~~~
d4n3
Their server certificate is from Equifax Secure Certificate Authority,
disabling it will make the https connection fail.

To my knowledge, verifying the server certificate from a local CA store does
not send data to the CA itself, do you have any reason to think otherwise?

