Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs


#1

[Read the post]


More SSL Madness
#2

As a former symantec employee…

You can’t mess around with certs and keys. And it would have been trivial to prevent this from the get go.


#3

Lead up to question:

Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.

First, how the hell could Symantec receive the first notification from Google (not exactly the random internet idiot telling us that Obama is invading Texas), only to respond that “oh yeah, we found those six items–it’s all good”, and then when Google says, “Yeah…but no”, Symantec finds not ten percent more, or even fifty percent more errors, but a metric shit-ton of errors, relatively speaking (“metric shit-ton” being both accurate and entirely vague and undefined by any scholarly body).

That is to say, isn’t Symantec in the business of protecting their customers via a swath of internet-related technologies? Did they get the first and second letters from Google on the day their head honcho expert was on vacay? WTF?

Mostly, I’m pissed because the Symantec brand started in my world as The One True Helpful Software–what happened to them?


#4

Laziness that comes with being a big, fat company. I am sure it went down exactly like this.

Engineer: “We need test certs for real domains. Can we stand up a QA CA?”
Director: “What’ll it cost?”
“Hrm… $1.3 million.”
“No, just use Prod, but also, uh, use encryption. And that other thing. Oh, passphrases.”
“Is that a good idea?”
“Sure, why not. Log a security exception in that system noone uses.”
"Okay… " (walks away whistling, and gets a job in a different department)

I will bet a solid hundred dollar bill it happened like that.


#5

Thereby both eroding the system they’re supposedly attempting to undergird while also sweeping away the now-moldy crusts of their brand. Sad to see it happen–they used to be the shit!


#6

I just hope that this ruins as many careers as possible pour encourager les autres.


#7

I don’t know exactly how the transmutation occurred; but they’ve become the corporate equivalent of some sort of ghastly alien symbiote.

Any product they infect starts to undergo traumatic and hideous deformation; sprouting unnatural appendages, sloughing chunks of necrotic flesh, spewing viscous ichor through an unwholesome chorus of babbling mouths; that sort of thing.

However, it somehow manages to extract enough nutrients from one host to buy up another before the first is entirely eviscerated; allowing it to take over a different product that people used to like while leaving an ever-larger collection of formerly useful products and services cocooned in horrible mucus pods, twitching and begging for death.

I don’t quite know how they do it, honestly. They are like the EA of enterprise software, except much, much, more virulent. At least EA often gets one last good release out of a formerly legendary studio before sending them to the knacker.


#8

Thankfully they aren’t the Computer Associates of enterprise software.


#9

it’s only a problem (for symantec) b/c they were found out.
otherwise, the way they have been conducting business is a beautiful free market circular profit-making gig.
morals/ethics? haha, you silly meat sack!


#10

True enough; it could always be worse and somewhere it already is.


#11

It’s November 2015 now, and June 2016 is 7 months away. How can we manage our trust of Symantec in the meantime?


#12

How about “Don’t”?


#13

Don’t trust Symantec, or don’t manage it?

How do I tell Chrome to not use Symantec as a CA now, in a way that persists across updates?


#14

That’s the one. They’re not worthy. Haven’t been for a long time.

(What to do about it in the real world…that’s beyond internet smartass quality. I dunno. Sorry.)


#15

What’s the worst that could happen? Seven months is the blink of an eye in geological time.


#16

This whole ssl/cert thing is a clusterfuck of epic proportions.


#17

I believe that Chrome defers to the platform’s certificate handling mechanism; with the exception of some additional features(certificate pinning for Google stuff, that sort of thing) that is layered on top.

In Windows, this means that you’d want to open mmc.exe, load the ‘certificates’ snap-in and have at it.

OSX would use keychain for the same purpose. I’m not 100% sure what Chromium does on linux, I’d need to check.

The trouble is, though, that Symantec owns a nontrivial chunk of the market, so unless Google manages to beat them into compliance, you can go ahead and distrust them yourself; but the breakage, it will be dramatic.


#18

You can manually remove Symantec’s certs from your certificate store if you’re so inclined (as least you can in Firefox).


#19

There’s your problem…


#20

Oh come on. Just because FF is your horse…

(I use them both and I prefer Chrome.)