As a former symantec employeeâŚ
You canât mess around with certs and keys. And it would have been trivial to prevent this from the get go.
Lead up to question:
Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.
First, how the hell could Symantec receive the first notification from Google (not exactly the random internet idiot telling us that Obama is invading Texas), only to respond that âoh yeah, we found those six itemsâitâs all goodâ, and then when Google says, âYeahâŚbut noâ, Symantec finds not ten percent more, or even fifty percent more errors, but a metric shit-ton of errors, relatively speaking (âmetric shit-tonâ being both accurate and entirely vague and undefined by any scholarly body).
That is to say, isnât Symantec in the business of protecting their customers via a swath of internet-related technologies? Did they get the first and second letters from Google on the day their head honcho expert was on vacay? WTF?
Mostly, Iâm pissed because the Symantec brand started in my world as The One True Helpful Softwareâwhat happened to them?
Laziness that comes with being a big, fat company. I am sure it went down exactly like this.
Engineer: âWe need test certs for real domains. Can we stand up a QA CA?â
Director: âWhatâll it cost?â
âHrm⌠$1.3 million.â
âNo, just use Prod, but also, uh, use encryption. And that other thing. Oh, passphrases.â
âIs that a good idea?â
âSure, why not. Log a security exception in that system noone uses.â
"Okay⌠" (walks away whistling, and gets a job in a different department)
I will bet a solid hundred dollar bill it happened like that.
Thereby both eroding the system theyâre supposedly attempting to undergird while also sweeping away the now-moldy crusts of their brand. Sad to see it happenâthey used to be the shit!
I just hope that this ruins as many careers as possible pour encourager les autres.
I donât know exactly how the transmutation occurred; but theyâve become the corporate equivalent of some sort of ghastly alien symbiote.
Any product they infect starts to undergo traumatic and hideous deformation; sprouting unnatural appendages, sloughing chunks of necrotic flesh, spewing viscous ichor through an unwholesome chorus of babbling mouths; that sort of thing.
However, it somehow manages to extract enough nutrients from one host to buy up another before the first is entirely eviscerated; allowing it to take over a different product that people used to like while leaving an ever-larger collection of formerly useful products and services cocooned in horrible mucus pods, twitching and begging for death.
I donât quite know how they do it, honestly. They are like the EA of enterprise software, except much, much, more virulent. At least EA often gets one last good release out of a formerly legendary studio before sending them to the knacker.
Thankfully they arenât the Computer Associates of enterprise software.
itâs only a problem (for symantec) b/c they were found out.
otherwise, the way they have been conducting business is a beautiful free market circular profit-making gig.
morals/ethics? haha, you silly meat sack!
True enough; it could always be worse and somewhere it already is.
Itâs November 2015 now, and June 2016 is 7 months away. How can we manage our trust of Symantec in the meantime?
How about âDonâtâ?
Donât trust Symantec, or donât manage it?
How do I tell Chrome to not use Symantec as a CA now, in a way that persists across updates?
Thatâs the one. Theyâre not worthy. Havenât been for a long time.
(What to do about it in the real worldâŚthatâs beyond internet smartass quality. I dunno. Sorry.)
Whatâs the worst that could happen? Seven months is the blink of an eye in geological time.
This whole ssl/cert thing is a clusterfuck of epic proportions.
I believe that Chrome defers to the platformâs certificate handling mechanism; with the exception of some additional features(certificate pinning for Google stuff, that sort of thing) that is layered on top.
In Windows, this means that youâd want to open mmc.exe, load the âcertificatesâ snap-in and have at it.
OSX would use keychain for the same purpose. Iâm not 100% sure what Chromium does on linux, Iâd need to check.
The trouble is, though, that Symantec owns a nontrivial chunk of the market, so unless Google manages to beat them into compliance, you can go ahead and distrust them yourself; but the breakage, it will be dramatic.
You can manually remove Symantecâs certs from your certificate store if youâre so inclined (as least you can in Firefox).
Thereâs your problemâŚ
Oh come on. Just because FF is your horseâŚ
(I use them both and I prefer Chrome.)