Google Details Plan To Distrust Symantec Certificates (tomshardware.com) 140
After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.
Should do the same with Google certificates (Score:1, Insightful)
Seriously getting tired of this company
Re: (Score:2)
Re: (Score:1)
Regardless of what Google does or doesn't do correctly regarding their own certs, Symantec has nobody to blame but themselves for this one. They deserve what they're getting because they played fast and loose with the rules to make a buck.
Re: (Score:3)
Brave seems a bit slow to start up and load the first page, otherwise the basic features seem to be ok.
That's fine (Score:1)
I don't trust anybody and neither should you.
Re: (Score:1)
I'm not buying that.
Google this, Google that (Score:2, Insightful)
I think it's about high time we actively start working around Google.
Sure they used to be cool, like 20 years ago. Now they're just a powerhungy privacy eating machine and very far from doing "no evil"; they need to go.
Re: Google this, Google that (Score:5, Interesting)
What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.
Re: (Score:3, Interesting)
The company I work for uses Google for hosting emails, group discussions, videoconferencing, document management etc. I can't just opt out of using Google products and still be able to do my job.
Re: (Score:2)
Yes but surely you wouldn't use the same identity for your work and personal life?
Re: (Score:2)
We use Microsoft's equivalents because, when it came to negotiating the license, the Google approach was take it or leave it, whereas MS worked with our IT folk to put together a contract that didn't violate any NDAs or regulatory requirements for data integrity that different departments had. The Google license was basically incompatible with any organisation that has any legal data protection requirements.
Privacy isn't just something that's nice for individuals to have, it's an absolute requirement fo
Windows Phone (Score:2)
We use Microsoft's equivalents
Including Microsoft's purported equivalent to Android? If so, how did you manage your migration from Windows Phone when Microsoft announced its end of life?
Re: (Score:2)
Re: (Score:2)
I disagree.
With what? That privacy is important, or that Google have inflexible terms? Be specific.
The fact that some Fortune 500 company is trusting Google with sensitive data, doesn't mean they should be doing so.
Re: (Score:2)
He covered that: "Google is only useful to people who make themselves dependant on them for some reason."
Re: (Score:2)
you can use a bunch of others like duckduckgo, bing, hotmaill.. ..
ehehehheheahahah.
anyways, most alternatives use google parts anyways. thats a bummer.
Re: (Score:1)
And Google has always been an advertising company with cool technology. Every single move Google makes is targeted towards increasing their ad revenue.
The only thing I take issue with there is "with cool technology". I've been forced to use their stuff. It only seems cool until you actually use it. Then the warts, boils and turds come out in force. It's almost as bad as MS tech, maybe worse these days.
Let me (Score:3, Interesting)
I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.
Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.
I try opening a few other web pages in safari and then Firefox. Same thing happens.
Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.
So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.
I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.
A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.
Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.
Re:Let me (Score:5, Informative)
This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."
WTF, this is supposed to be a site for nerds. It says so right there at the top.
Re:Let me (Score:4, Funny)
I suppose being a nerd doesn't mean you actually know anything...
Re:Let me (Score:5, Insightful)
Re: (Score:2)
+1, the grandparent is an asshole
Re: (Score:2)
Re: (Score:3)
ISPs have been screwing to HTTP for over a decade around here. When I have issues the first thing I check is if I'm not connected to my VPN for some reason, and if I get the same result on a mobile connection. I've never had to go beyond checking those two so far.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.
Exactly. https://en.wikipedia.org/wiki/... [wikipedia.org] It is not unusual for a hijack to also install a keylogger, so at the time, this happened, I wasn't for certain that I wasn't totally pwned. Seriously unethical, and regardless, I had no internet access unless I either called Arris and got the shit turned off, or clicky clicky on a mysterious link that would install or do gawd knows what.
What is a little surprising is self acknowledged experts who seem to think otherwise. I personally am interested in their mo
Re: Let me (Score:2)
Re: (Score:1)
Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet, Slashdot removed the "News for Nerds" motto some years ago. Now it's just a property of dice.com or whoever the hell owns it now.
You can see on the front page, comments barely go into triple digits any more. Slashdot is a shell, and I don't know why I keep coming here. Habits are hard to break.
Re: (Score:1)
Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet,
Google effectively toilet papered its "Don't be Evil" motto when it went public in 2004.
Re: (Score:2)
Which was really a pretty sketchy motto to begin with. Who has to remind themselves not to be evil so much that it becomes a motto?
Re: (Score:1)
Re: (Score:2, Interesting)
As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.
They are wron
Re: (Score:2)
As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.
They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.
So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.
Okay, since all of the experts here on Slashdot are pillorying my for my stupidity, now that I have a security professional, I'd like a security professional's answer.
You are sitting at a computer that has been functioning properly for a long time. Typical security procedures, an anti-virus, regular updates, firewall both on the computer and on the router.
Now, instead of any internet access, when you open a browser, you get one screen only. An announcement that the router you are using's manufacturer a
Re: (Score:2)
Re: (Score:2)
This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."
WTF, this is supposed to be a site for nerds. It says so right there at the top.
Oh, dear, I'm getting a lecture. Lookie fellow, this transpired over time, and it was rather shocking that even McAffee, who don't have a lot of ethics to begin with, would hijack a browser.
I'd have to first Know that McAffee and Arris had entered into this unholy matrimony, Then I'd have to not be suspicious of of links that gave me 1, bad certificates ( perhaps you as a self acknowledged genius like bad certificates) and the other link for the TOS, didn't show me anything.
What they may or may not h
Re: (Score:2)
How did you conclude it's the ISP? If Symantec and Arris enter into a partnership it's even possible you got bum router firmware from Arris.
In a world where every device can be updated automatically at any time, any device can be updated at any time.
But thanks for the correction.
It wasn't the ISP. It was Arris and Symantec. But that was only confirmed by contacting Arris, and later Symantec.
I wonder if slashdotters think that any webpage they go to is legit. If so, it brings some understanding to the number of security breaches like Equifax et al. Security like that is hard to find. Or not.
Re: (Score:2)
You forgot the rough corn cob...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
"bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper. "
Ok we get it! Did you really have to go into such detail? Some of us are at work and it gets real embarrassing to pop a boner in front of everyone.... Geez.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2, Insightful)
You called Arris? Arris doesn't do MITM, they do hardware. Your ISP does MITM. Time Warner (now Spectrum), Cox, Xfinity, or whatever, is your ISP. That's who you call. Also, Arris is in bed with McAfee, not Symantec. Are you using your ISPs DNS servers on your router? STOP DOING THAT IMMEDIATELY! Use OpenDNS, or Comodo, or Level3, or anything else! If you still see anything off, use a VPN.
Re: (Score:3)
Re: (Score:2)
You say that like it is an insult. The real joke is on you though. Slashdot is a mere shell of what it once was. Given the choice between the two, Reddit is going to win.
DK
Re: (Score:2)
Re: (Score:2)
You don't know how computers work, go play in reddit.
Oh yes, I'm the dumbest asshole on the planet.
Tell me, if you lost internet access, and the only way you could get it back was to click on the only webpage that showed up, would you without hesitation, click on that link? You either have no access, call the people who are presumably the ones who did this to you, or click the link.
If you answer anything other than you contact the people responsible, you have absolutely no place telling me I know nothing, and frankly, you need to stick to surfing shemal
Re: (Score:2)
Re: (Score:2)
I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.
So anyhow, you would not have engaged in communications with the people who claimed to have enabled this? Elucidate, and instead of being a slashdot genius, tell me why I should not have.
Re: (Score:2)
It's cool if you don't want to know how the stuff you use works, I bet almost no one knows how all the stuff they use works, there is a lot of technology in use today. But this is supposed to be a technical site; different standards. And no, I would not have called Arris, but then I don't
Re: (Score:2)
You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.
No, actually I did not. say tha. You might think that you are smarter than me in all ways, but what I wrote, and which for some unknown reason you lied about is:
"Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now!
That is cut and pasted from my post. You can put that in quotes. Not what you did. Because what you put in quotes was untrue.
An unreasonable request? I did not know at the time if "anything" that had anything to do with Sy
Re: (Score:2)
Yes, it's unreasonable to ask a router OEM to alter the configuration of your PC unless you have some sort of contract with them.
My first suspicion given the very limited info you have provided is that your browser traffic was being routed through some sort of sandboxing and/or deep inspection proxy, but I can't be sure without actually having a look. The agency being used to implement that redirection could be many places but most likely it's so
Re:Let me (Score:5, Informative)
Re: (Score:2)
What about Firefox? (Score:4, Interesting)
What's Mozilla's plan? Are they going to continue to trust the old certs?
Re: (Score:1)
Their lets-just-copy-whatever-chrome-does -management team goes to Hawaii for some strategy meetings that take a week and concludes that while they do not understand why chrome did some change, they will copy that change anyway.
Re: (Score:2)
Sure is alot of nasty replies in the field here today. You'd almost wonder if someone else (competitor) was mounting a sponsored campaign to tear down the site.
TRUST is supreme (Score:5, Interesting)
Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.
They may have many products & services, or only a few, but without TRUST they have nothing.
Re: (Score:2)
One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).
When an introducer is sort of trusted, and sort of not, it should be entered that way and han
Re: (Score:2)
"disgraced themselves at some time and somehow survived"
They survived because for a large number of people trust isn't supreme: they are liars, they lie to themselves and to others, and when liars discover that a company they use has lied, well, deep down they know it's not that bad. They like their Volkswagen, nay love their Volkswagen, and so internal logic concludes it's not worth changing car companies over some lie that hardly affected them. For these people, and to an extent all people, trust is set r
Re: (Score:2)
When it comes to car companies, why did you single out Volkswagen? They weren't the only one to cheat on the tests, most of the companies have been found to have done so since then. They were just the first one discovered. Or were you thinking of something else.
With cars, I would have picked Ford for the "Ford firebomb" otherwise known as the Pinto.
Re: (Score:2)
Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.
They may have many products & services, or only a few, but without TRUST they have nothing.
I think just about every single company you've listed proves your point wrong - we have seen time and time again that companies who lose the trust of their userbase still manage to stay in business, sometimes even thrive.
Companies have proven in practice that without TRUST it'll still be business as usual.
Good, let's distrust these lying sacks (Score:5, Informative)
Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.
Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.
Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.
Re:Good, let's distrust these lying sacks (Score:4, Informative)
Here's the real problem:
By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.
Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.
Re:Good, let's distrust these lying sacks (Score:5, Informative)
Re: (Score:2)
A year seems a long time. I'd start by immediately downgrading all EV certs from Symantec to normal certs. Then, a month later, remove the padlock icon entirely and treat them as if they were HTTP. Two months after that, distrust them entirely.
As for those innocent businesses: they were sold a cert by Symantec with 'accepted by all major browsers' in the advertising. They're going to get a full refund (and if they don't, you can bet that the class action suit will hurt Symantec more than giving refun
Re: (Score:2)
It would be better to let the customers get hurt I'm afraid. They can sue Symantec for any costs or lost revenue. If it's that critical then Symantec should have had indemnity insurance and the customers should have had insurance.
Don't forget, the consequence of delaying is that innocent people can be victimized with bad Symantec certificates. There is no option that avoids harming anyone.
Re: (Score:2)
If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.
You're talking from the perspective of a company where the website is an active and maintained part of their strategy. There are many for which a website is nothing more than a tool, many small shops with small online shopping carts, completely 3rd party outsourced IT where this will do no more than cause them additional expense assuming they are aware of the issue at all before the entire site goes down the red warning hole.
Re: (Score:2)
Too Slow (Score:5, Informative)
They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).
There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.
Re: (Score:2)
If an untrusted cert breaks things, then the user's browser is defective.
It should work, but the UI should indicate that it's not totally sure who the user is connected to. That's ok to do, because it's true. (An untrusted cert should never, ever have any negative consequences or keep things from working if the user so chooses; it
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).
Why exactly is Let's Encrypt actually good enough? How is Let's Encrypt any better than StartSSL - which has already had its trust revoked?
Current initiatives of major browser developers such as Mozilla and Google to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt. - Wikipedia [wikipedia.org]
Which is extremely humorous considering that Let's Encrypt requires tcp/80 to be open for ACME (Automated Certificate Management Environment) to verify the initial identity of the host name being requested. By requiring tcp/80 to be open you're doubling the attack surface of something that could have only needed tcp/443.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Let's Encrypt so far hasn't yet gotten their hands caught in the cookie jar and they are infinitely more transparent than most paid cert providers. Certificate providers in general do not put up a public ledger of all certificates it has signed, they barely even verify whether you are the owner of a domain and/or site. LE at least requires valid domain setups and unless you've been rooted (at which all bets are off regardless of your CA) you have to put up a challenge to make sure you can renew and certs ar
What great timing (Score:3)
Re: (Score:2)
On the converse, our company will be dropping Symantec AV in less than a month (which means we will have zero Symantec on our network). No more SEPM server, I really don't like using it. It is a huge PITA.