why apple uses deprecated google trust certificates

Per https://pki.goog/repository/ old and new GTS Root R1, R2, R3, and R4 are all valid through 2036, or later.

Per the published Apple trust store (caveat below), the fingerprints do differ from both old and new at Google, but the expiration dates in the Apple trust store do match those at Google, and the newest published Apple Trust Store (2021072200) is not the version Apple is currently using (2022031500) with iPadOS 15.6.1.

Available trusted root certificates for Apple operating systems - Apple Support (this is not what is in use)

I’ll see if I can extract the root public certs using an app, but that’s not happening today.

I’d expect we’ll be getting new docs as iOS 16 and iPadOS 16 and Ventura arrive, too.

In recent years, the trust store changes multiple times a year. Apple tends to load a new trust store in the background, sometimes pushed out-of-band and sometimes pushed as part of a new version, though they usually also push the same updates ro earlier (“supported”) versions. Absent revocation, the certificates will work until expiration. The published documentation can miss or can trail the updates, though.

ww2022 wrote:

i am not a tech profession but very much like to use apple devices and very concerned about cybersecurity, zero trust operating environment, so i check very detailed as an enduser.

Then you should not be making these kinds of changes for any reason. You have compromised the security of your device. Leave all security and certificate settings at their default values. If you are unable to reset them yourself, erase your hard drive and reinstall the operating system. Restore only user account and user files. Do not restore any applications or "other files". You will need to manually reinstall any legitimate application that you really need to use.

maybe i share more about what caused my concern about deprecated google cert.

It is always better to share concerns before taking actions like this.

lulu, little snitch, murus, wireshark

Do not use any of those apps. Your computer was in its most secure configuration the first time you turned it on. Any changes to the configuration will reduce your security.

i captured in the wild a non google website (ip address owner not google) but posing as xxxxxxxx.gvt1.com which passes through application firewall because reverse dns check only checked for matches to *.gvt1.com that website has a certificate signed by a legitimate root ca (not gts or globalsign).

Can you provide more specific information about how you did this?

It has become hip for people to style themselves as "internet security researchers". They get a Twitter account, maybe start a blog, get some followers, and suddenly they are an expert. One of their common tactics is to get Apple users to doubt the default security settings that Apple provides. They tell you that you need one or five different 3rd party security products. They tell you that you need to double-check that Apple security updates are properly downloading. They tell you that you need to verify that Apple security processes are running. Maybe they have told you that you need to fix Apple's trust store. None of this is true. They have convinced you that you need to doubt, and manually correct, the default security settings of your Mac. You've been conned and defrauded, that's all. Put your trust in Apple. Apple has your best interests at heart. Apple will protect your privacy and security better than any internet social media influencers.

Is this a duplicate of a previous post? I seem to remember one earlier today that was almost, but not quite, identical.

This is an Apple user-to-user support forum. As Apple users, we typically trust Apple to do the right thing and don't pay much attention to Google. I would be willing to investigate this, but you would need to provide some kind of reference material.

ww2022 wrote:

i had strange experience connecting to google webpages.

Can you describe what that experience is?

i tried with firefox and disabling all other certficates including apple root certificates.

Perhaps that is the cause of your problem. There is no need to disable any certificates. Safari, Firefox, and Chrome all work perfectly out-of-the-box. There is no need for you to make any system modifications of any kind.

This local net seems… odd.

169.264/16 is self-assigned. It’s not routable. It’s typically only used transiently when communicating with DHCP, or when DHCP is unavailable.

Add-on firewalls can make it very easy to disrupt IP comms. I usually discourage those for the subtle problems they can cause with errant blocks.

The trust store is not where I’d focus here for your stated goals, either. If you want to look at a trust store in detail, Mozilla publishes theirs for use by others. But absent a fault or a revocation or some exploit that has entire;y bypassed iOS security*, not usually a concern.

I’d suggest the Feisty Duck book on TLS (they have a free intro book), and an intro to IP. The IP intro I’d point to here is Beej’s Guide, though that concentrates on IP sockets and less on IP itself.

*and most of us aren’t worth that most-of-a-million-dollar investment. If you are, you need far better sources of security info than a rando like me in an Apple developer-related forum, too.

PS: Firefox has its own trust store. Chrome might too, but haven’t checked that.