Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities


#1

Originally published at: http://boingboing.net/2017/03/24/symantec-considered-harmful.html


#2

Eat shit, Symantec :smile:


#3

Symantec’s fine products gave me nothing but headaches at my last job, deleting (sometimes randomly) software tools that I needed which were not officially approved by corporate. Unless you are a big corporation, Symantec seems to have no interest in fixing such issues.

I got a laugh one day when I noticed that it was repeatedly quarantining one of its own files.

They deserve it.


#4

How the mighty have fallen.


#5

Just another point of view…

Unfortunately anyone can post anything on the internet as there is not vetting process. Here’s the true facts: The real number is 127 certificates that were identified as mis-issued (with no consumer harm), and not 30,000. This was due to a 3rd party registration authority’s error, who by the way, have now been terminated.


#6

Citation?

ETA: according to the Ryan Sleevi post linked above:

an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.

So, while you may have been right that the initial problem was 127 certificates which were quickly fixed, it looks like the problem is much bigger.

And, forgive me, but without an accompanying citation, I’m going to trust Ars and Google’s tech team more than I trust a random online commenter.


#7

That is…distinctly…not what Team Chrome is saying.

See: the outline

The initial problem report was reported publicly, through Mozilla’s dev.security.policy mailing list, at https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/yvjS5leYCAAJ

In the course of understanding these issues, representatives of Mozilla and Google both addressed follow-up questions to Symantec, as did broader members of the community and peers of the Mozilla Root CA Certificate module.

Symantec’s replies are (generally) available at https://bugzilla.mozilla.org/show_bug.cgi?id=1334377 and share further details.

These entities are CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A… Each of these entities were authorized by Symantec to perform validation services for information within the certificate, including organizational information and domain names. This process is permitted by the Baseline Requirements, but requires both that the CA accept liability for any issues that emerge through such a relationship, and that the CA ensure these entities are appropriately audited to the equivalent criteria for the validation roles that they perform, so that all certificates issued meet a consistent level of quality.

As demonstrated through the information provided, these four entities did not follow the appropriate practices or did not possess the appropriate and necessary audits from the appropriate parties. Symantec has acknowledged they were actively aware of this for at least one party, failed to disclose this to root programs, and did not sever the relationship with this party.

In effect, each of these parties were able to effect issuance by validating information improperly. At least 30,000 certificates were issued by these parties, with no independent way to assess the compliance of these parties to the expected standards. Further, these certificates cannot be technically identified or distinguished from certificates where Symantec performed the validation role. As a consequence, the insufficient demonstration of compliance, along with the inability to distinguish such certificates, combined with the incomplete identification of the scope of the issues, create a degree of uncertainty related to the entire corpus of certificates, for which the only meaningful way to restore that confidence is to propose a gradual distrusting of the existing certificates, so that all new certificates are fully validated according to the appropriate standards.

“Further, these certificates cannot be technically identified or distinguished from certificates where Symantec performed the validation role.” is particularly troubling.

Not only did they have 4 distinct, and troubled in their own ways, affiliates running around and screwing things up, their systems were set up such that certs ‘validated’ by the affiliates are not visibly different from Symantec-validated ones; meaning that several different, and distinctly uneven, levels of practice are invisibly conflated under a single brand.

They also had the ‘rogue engineers’ episode back in 2015, which they ‘fixed’ by firing some people; and then learned was bigger and nastier than originally revealed when Google turned the screws and made them look harder; but this latest episode is apparently a new chapter in the saga.

Symantec is lucky that just purging them with fire and sword would basically break the internet; because they sure aren’t doing much to deserve their existence at this point(particularly as a CA, though most of their other products are incidentally shit as well).


#8

You don’t say…


#9

Plus, the mere existence of faulty certs indicates a fallible process; and unless you can identify why the process failed in those cases(and verify that it did not in the others), revoking the known-bad certs is a more or less purely symptomatic treatment. Certainly better than doing nothing, since it keeps those certs from being misused(as easily, revocation is a problematic process); but if you don’t know why faulty certs made it into the wild, you have no good reason to believe that it won’t happen again.

Even worse, the faulty certs weren’t detected by Symantec, they were picked up by 3rd party researchers, with the help of the certificate transparency system more or less forced on the CAs because they weren’t being competent enough themselves; so even if occasional manufacturing defects were a fact of life(which shouldn’t be true for the math side; but might be for the paperwork/EV side) it is clear that in-hous QA isn’t happening. Not impressive.


#10

It made me think of Vernor Vinge’s Rainbows End, when a high-level certificate is revoked with massive cascading collateral damage in an Internet of Everything world.

Symantec? GrumpyCat.Good.


#11

Hi Ed!

Welcome to bOINGbOING!

I know you haven’t had much time, since you only joined a couple of hours ago, but I hope you’ll read and contribute to some other threads.

We welcome healthy skepticism here :slight_smile:


#12

I wonder if the ratio of bad certificates is worse with Symantec or if it is just that they issue so many that makes their failures stand out.


#13

It seems that there is a concerted effort to make people not want to use this wonderful information sharing technology.

I wonder who and why ?


#14

Ed, I just ran across Symantec’s official response, https://www.symantec.com/connect/blogs/symantec-backs-its-ca posted this morning. Wording looks very similar indeed to yours. Do you just not make a habit of linking/citing when paraphrasing, or are you here on business?

“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” they wrote. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates—not 30,000—were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program.”


#15

Here on business and I do normally include the link . I knew someone would have a negative comment when I mentioned “there’s no vetting on the internet”. Thanks for including the link too, by-the-way.

Ed


#16

Remember when the Symantec name meant quality? Now it’s just a joke and I tell people to remove their “security” software and go with other options.


#17

As a matter of courtesy, just saying so up front would be much appreciated. Symantec is certainly entitled to respond, and as far as I know BBS has no rules against representatives posting; but mentioning that your post sounds an awful lot like the official statement because you are coming by to deliver it, rather than just passing over the fact without comment, is strongly in your favor when it comes to perceived candor and sincerity.


#18

No, that’s not another point of view, that flies in the face of the facts google presented. Perhaps you meant “alternative facts”, as the current US government seems to be providing?

More importantly? No. this isn’t somewhere without a “vetting process”. We routinely update, correct, and retract factually false statements. We don’t allow anyone to post anything here. You might want to learn a bit more about the places that you visit online before you declare us all to be of no journalistic value.

Thanks! And Welcome to Boing Boing BBS!


#19

No worries here, just converted all my clients over to Let’s Encrypt certificates.

Giving Symantec (or any other CA) $100 bucks a year? - no longer a viable business.


#20