Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs

You lay down with Google dogs and you’ll get up with fleas!

1 Like

I do wonder whether this is all intended to cover up a small number of bogus certs that some NSA mole in Symantec intentionally issued. I mean, really, does anyone doubt that NSA would do that? Not that they need to, but you know, diversity of attacks, contingency plans, redundancy.

4 Likes

Absolutely not putting on my tinfoil hat here, but I thought the same thing. However, given that they’re faked/corrupted/whatevs, I would think that opens the door to whomever has the technical skill to pull it off (e.g. NSA, Russia, Iran, China, hackers in any of the aforementioned, etc.).

Where I think of SSL certs being actively managed like this:

Apparently it’s like this (at least at Symantec):

1 Like

You sure can, but I think you and I know what would happen if you removed verisign from your cert store.

http://w3techs.com/technologies/overview/ssl_certificate/all

http://www.netcraft.com/internet-data-mining/ssl-survey/

It would hurt, bad.

So kids, don’t revoke symc unless you really, really know what you are doing.

I just said it could be done. I didn’t say it was a good idea!

2 Likes

In 2011, DigiNotar did exactly what Symantec is doing now. They received the internet death penalty as a result. Why is Symantec not being given the death penalty? This June 1 ultimatum is ridiculous nonsense. They should have had their root certificates revoked yesterday.

1 Like

And when Google or Mozilla breaks half the Internet and people leave their browsers in drove, we will have accomplished what?

There are practicalities in having products used by hundreds of millions of people that have one click switches to competitors.

BTW, I hope you didn’t create your account just for this one post.

1 Like

I believe Diginotar was dropped like a hot potato because the most important customer (Dutch government) pulled the plug - the company ran the PKI of the Netherlands. Symantec is a 400 pound gorilla, any browser maker revoking the root cert would be flooded with complaints.

Only when all important browsers removed the certs at the same time it would not disrupt the market shares - I don’t see a chance that this level of cooperation will happen.

Actually, the browser makers do coordinate on this and talk to each other. I’ve witnessed the talks. Diginotar was an example. It doesn’t happen with lightning speed though and getting…certain… companies on board can be hard.

Congratulations, you’ve just codified the principle of too big to fail. We tried this before with the banking system. How did that work out?

I don’t understand what competitors you’re talking about. Surely ALL the browser makers should be blacklisting Symantec as this kind of thing is a clear and gross violation of any major browser vendor’s root CA requirements. If browser vendors were doing their job (which they’re not), there would be no one to switch to.

But go ahead and keep defending what is a blindingly obviously totally broken system.

Don’t be a asshole. K? If so, go back to Reddit.

Let the adults do their jobs. I’m arguing that things take time and coordination. Oh and different browsers compete with each other’s for customers…and Apple and Google, for example, have different corporate priorities.

Grandstand elsewhere and let the rest of us work in the real, functional world of people and acting groups or companies. Ideology won’t get you far in practical matters of working with frenemies.

1 Like

If you don’t like it, find a perfect browser and OS and stay there.

1 Like

That’s a terrible attitude and you know it. Of course I can fix the problem for myself. But in what world is this good enough? The value of the internet is connectivity. If other people have no security, then I have no security. We can do better. There is activity as we speak among standards bodies, IETF working groups, researchers, and concerned citizens. Complacency is not acceptable.

Well, I think your attitude is pretty terrible.

You aren’t thinking through how running a browser and a root store actually works with all the companies and parties involved and how folks practically deal with problems. Instead, you spout ideology and make comparisons to banks that screwed folks out of millions.

You’re pretending people aren’t actually working on problems or trying to solve them. Here’s a news flash, I actually work with the people in charge of Mozilla’s root store and who go to the various working groups and standards policy to try to make policy. They aren’t sitting around on their hands (with their thumbs up their asses) saying “Oh this is great, let’s change nothing.” On the other hand, they aren’t demanding solutions that won’t actually happen in the real world of multiple CAs, root stores, vendors, companies, etc. either. You can say “Cut off Symantec NOW or you’re doing EVIL!!!” all you want. That doesn’t change the constraints people with hundreds of millions or billions of customers (Hello Microsoft) work within for coordination.

I also don’t appreciate trollies who make accounts just to bitch on a single thread. Maybe after you’ve been here a few months, you’ll understand how this forum works for the community here.

2 Likes

Yeah… At this point noone is being complacent. And if you want to revoke verisigns/Symantec’s roots you may as well just shut down the Internet for a few months and spend time at the beach.

Symc needs to come clean with a serious audit, and prove that procedures will be in place (along with big ol contractual requirements with enormous penalties) that this can’t happen again.

Welcome to the world of PKI.

2 Likes

It’s a royal pain in the ass. Like a lot of Internet infrastructure, it’s what we currently have to work with. I’ve had conversations with others in the community about how the CA trust model is broken, and I’ve seen some propose alternatives. (Moxy Marlinspike comes to mind.) There is still no drop in replacement and all sorts of issues around scaling.

1 Like

I know Moxy and he has good ideas. The problem is the legacy issue. How do you get the entire Internet to agree to implement a new system and then how do you roll it out? Or, more realistically, how do you get Google, Apple, and Microsoft to agree to support things they don’t invent in their operating systems (let alone browsers)? Then you add Amazon, Ebay, and others…

2 Likes

Right. That speaks directly to what I meant by “Like a lot of Internet infrastructure, it’s what we currently have to work with.”

I mean, hell, we can’t even fix sending email securely.

1 Like

at ebay, with millions in funding and support from the ceo, it would take two years to change 50% of live certs to a new vendor. not that i know anything first hand…

walks away whistling…

3 Likes