Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Chrome Google Privacy Security The Internet

Google Details Plan To Distrust Symantec Certificates (tomshardware.com) 140

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Google Details Plan To Distrust Symantec Certificates

Comments Filter:
  • by Anonymous Coward

    Seriously getting tired of this company

  • by Anonymous Coward

    I don't trust anybody and neither should you.

  • by Anonymous Coward

    I think it's about high time we actively start working around Google.
    Sure they used to be cool, like 20 years ago. Now they're just a powerhungy privacy eating machine and very far from doing "no evil"; they need to go.

    • by Anonymous Coward on Monday September 11, 2017 @10:59PM (#55178661)

      What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

      • by gl4ss ( 559668 )

        you can use a bunch of others like duckduckgo, bing, hotmaill.. ..

        ehehehheheahahah.

        anyways, most alternatives use google parts anyways. thats a bummer.

  • Let me (Score:3, Interesting)

    by Ol Olsoc ( 1175323 ) on Monday September 11, 2017 @10:00PM (#55178449)
    Tell you about Symantec.

    I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.

    Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.

    I try opening a few other web pages in safari and then Firefox. Same thing happens.

    Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.

    So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.

    I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.

    A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.

    Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.

    • Re:Let me (Score:5, Informative)

      by StikyPad ( 445176 ) on Monday September 11, 2017 @10:18PM (#55178511) Homepage

      This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

      WTF, this is supposed to be a site for nerds. It says so right there at the top.

      • Re:Let me (Score:4, Funny)

        by jonnythan ( 79727 ) on Monday September 11, 2017 @10:28PM (#55178553)

        I suppose being a nerd doesn't mean you actually know anything...

      • Re:Let me (Score:5, Insightful)

        by sinij ( 911942 ) on Monday September 11, 2017 @10:48PM (#55178623)
        Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.
        • +1, the grandparent is an asshole

        • It's commonplace in other parts of the world, China, India, Philippines, etc. They'll not only inject ads into your browsing session, but on mobile they'll put one of those Apple-style floating circles in the corner, to "help" you.
        • by AmiMoJo ( 196126 )

          ISPs have been screwing to HTTP for over a decade around here. When I have issues the first thing I check is if I'm not connected to my VPN for some reason, and if I get the same result on a mobile connection. I've never had to go beyond checking those two so far.

        • by Holi ( 250190 )
          Cable companies using DNS redirects isn't something you expect? That's been the norm for years now.
          • by Gr8Apes ( 679165 )
            yep, started running my own DNS setup to completely ignore my ISP. Their stupidity continues.
        • Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

          Exactly. https://en.wikipedia.org/wiki/... [wikipedia.org] It is not unusual for a hijack to also install a keylogger, so at the time, this happened, I wasn't for certain that I wasn't totally pwned. Seriously unethical, and regardless, I had no internet access unless I either called Arris and got the shit turned off, or clicky clicky on a mysterious link that would install or do gawd knows what.

          What is a little surprising is self acknowledged experts who seem to think otherwise. I personally am interested in their mo

        • If you didn't install or change any software yourself, yes, troubleshooting as a DNS issue would be first priority. Wouldn't you want to find out how the mysterious infection occurred before reimaging and having it reinfected? Seriously, this was poor troubleshooting. Do you freak out the first time signing into a hotel hotspot with walled garden redirect? If not, you're smarter than OP.
      • Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet, Slashdot removed the "News for Nerds" motto some years ago. Now it's just a property of dice.com or whoever the hell owns it now.

        You can see on the front page, comments barely go into triple digits any more. Slashdot is a shell, and I don't know why I keep coming here. Habits are hard to break.

        • by Gr8Apes ( 679165 )

          Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet,

          Google effectively toilet papered its "Don't be Evil" motto when it went public in 2004.

          • by chihowa ( 366380 )

            Which was really a pretty sketchy motto to begin with. Who has to remind themselves not to be evil so much that it becomes a motto?

            • by Gr8Apes ( 679165 )
              Not really that sketchy, IMHO, as when they started it was just a search engine, not an ad serving platform.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

        They are wron

        • As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

          They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

          So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

          Okay, since all of the experts here on Slashdot are pillorying my for my stupidity, now that I have a security professional, I'd like a security professional's answer.

          You are sitting at a computer that has been functioning properly for a long time. Typical security procedures, an anti-virus, regular updates, firewall both on the computer and on the router.

          Now, instead of any internet access, when you open a browser, you get one screen only. An announcement that the router you are using's manufacturer a

      • by Holi ( 250190 )
        Or change your DNS servers
      • This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

        WTF, this is supposed to be a site for nerds. It says so right there at the top.

        Oh, dear, I'm getting a lecture. Lookie fellow, this transpired over time, and it was rather shocking that even McAffee, who don't have a lot of ethics to begin with, would hijack a browser.

        I'd have to first Know that McAffee and Arris had entered into this unholy matrimony, Then I'd have to not be suspicious of of links that gave me 1, bad certificates ( perhaps you as a self acknowledged genius like bad certificates) and the other link for the TOS, didn't show me anything.

        What they may or may not h

    • by sgage ( 109086 )

      You forgot the rough corn cob...

    • by Anonymous Coward

      "bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper. "

      Ok we get it! Did you really have to go into such detail? Some of us are at work and it gets real embarrassing to pop a boner in front of everyone.... Geez.

    • So, how do you really feel about Symantec?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You called Arris? Arris doesn't do MITM, they do hardware. Your ISP does MITM. Time Warner (now Spectrum), Cox, Xfinity, or whatever, is your ISP. That's who you call. Also, Arris is in bed with McAfee, not Symantec. Are you using your ISPs DNS servers on your router? STOP DOING THAT IMMEDIATELY! Use OpenDNS, or Comodo, or Level3, or anything else! If you still see anything off, use a VPN.

    • You don't know how computers work, go play in reddit.
      • by dkone ( 457398 )

        You say that like it is an insult. The real joke is on you though. Slashdot is a mere shell of what it once was. Given the choice between the two, Reddit is going to win.

        DK

      • You don't know how computers work, go play in reddit.

        Oh yes, I'm the dumbest asshole on the planet.

        Tell me, if you lost internet access, and the only way you could get it back was to click on the only webpage that showed up, would you without hesitation, click on that link? You either have no access, call the people who are presumably the ones who did this to you, or click the link.

        If you answer anything other than you contact the people responsible, you have absolutely no place telling me I know nothing, and frankly, you need to stick to surfing shemal

        • I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.
          • I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.

            So anyhow, you would not have engaged in communications with the people who claimed to have enabled this? Elucidate, and instead of being a slashdot genius, tell me why I should not have.

            • You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

              It's cool if you don't want to know how the stuff you use works, I bet almost no one knows how all the stuff they use works, there is a lot of technology in use today. But this is supposed to be a technical site; different standards. And no, I would not have called Arris, but then I don't
              • You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

                No, actually I did not. say tha. You might think that you are smarter than me in all ways, but what I wrote, and which for some unknown reason you lied about is:

                "Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now!

                That is cut and pasted from my post. You can put that in quotes. Not what you did. Because what you put in quotes was untrue.

                An unreasonable request? I did not know at the time if "anything" that had anything to do with Sy

                • Yeah, it was paraphrased. The facts presented are the same.

                  Yes, it's unreasonable to ask a router OEM to alter the configuration of your PC unless you have some sort of contract with them.

                  My first suspicion given the very limited info you have provided is that your browser traffic was being routed through some sort of sandboxing and/or deep inspection proxy, but I can't be sure without actually having a look. The agency being used to implement that redirection could be many places but most likely it's so
    • Re:Let me (Score:5, Informative)

      by phantomfive ( 622387 ) on Tuesday September 12, 2017 @01:41AM (#55179057) Journal
      You shouldn't have an Arris modem anyway. They are back-doored [blogspot.com], with hard-coded credentials [nomotion.net]. Arris security makes Equifax look like Fort Knox.
    • Ah yess Symantec https://www.flickr.com/photos/... [flickr.com]
  • What about Firefox? (Score:4, Interesting)

    by Anonymous Coward on Monday September 11, 2017 @10:14PM (#55178503)

    What's Mozilla's plan? Are they going to continue to trust the old certs?

    • by Anonymous Coward

      Their lets-just-copy-whatever-chrome-does -management team goes to Hawaii for some strategy meetings that take a week and concludes that while they do not understand why chrome did some change, they will copy that change anyway.

    • They're planning on matching Google's plan: https://www.thesslstore.com/bl... [thesslstore.com]

      Sure is alot of nasty replies in the field here today. You'd almost wonder if someone else (competitor) was mounting a sponsored campaign to tear down the site.
  • TRUST is supreme (Score:5, Interesting)

    by swell ( 195815 ) <jabberwockNO@SPAMpoetic.com> on Monday September 11, 2017 @10:22PM (#55178533)

    Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

    They may have many products & services, or only a few, but without TRUST they have nothing.

    • by Sloppy ( 14984 )

      One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).

      When an introducer is sort of trusted, and sort of not, it should be entered that way and han

    • by deesine ( 722173 )

      "disgraced themselves at some time and somehow survived"

      They survived because for a large number of people trust isn't supreme: they are liars, they lie to themselves and to others, and when liars discover that a company they use has lied, well, deep down they know it's not that bad. They like their Volkswagen, nay love their Volkswagen, and so internal logic concludes it's not worth changing car companies over some lie that hardly affected them. For these people, and to an extent all people, trust is set r

    • by HiThere ( 15173 )

      When it comes to car companies, why did you single out Volkswagen? They weren't the only one to cheat on the tests, most of the companies have been found to have done so since then. They were just the first one discovered. Or were you thinking of something else.

      With cars, I would have picked Ford for the "Ford firebomb" otherwise known as the Pinto.

    • Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

      They may have many products & services, or only a few, but without TRUST they have nothing.

      I think just about every single company you've listed proves your point wrong - we have seen time and time again that companies who lose the trust of their userbase still manage to stay in business, sometimes even thrive.

      Companies have proven in practice that without TRUST it'll still be business as usual.

  • by guruevi ( 827432 ) <<moc.stiucricve> <ta> <ive>> on Monday September 11, 2017 @10:28PM (#55178557) Homepage

    Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.

    Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

    Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

    • by rudy_wayne ( 414635 ) on Monday September 11, 2017 @10:45PM (#55178617)

      Here's the real problem:

      By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

      Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

      • by sinij ( 911942 ) on Monday September 11, 2017 @10:52PM (#55178635)
        While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.
        • A year seems a long time. I'd start by immediately downgrading all EV certs from Symantec to normal certs. Then, a month later, remove the padlock icon entirely and treat them as if they were HTTP. Two months after that, distrust them entirely.

          As for those innocent businesses: they were sold a cert by Symantec with 'accepted by all major browsers' in the advertising. They're going to get a full refund (and if they don't, you can bet that the class action suit will hurt Symantec more than giving refun

        • by AmiMoJo ( 196126 )

          It would be better to let the customers get hurt I'm afraid. They can sue Symantec for any costs or lost revenue. If it's that critical then Symantec should have had indemnity insurance and the customers should have had insurance.

          Don't forget, the consequence of delaying is that innocent people can be victimized with bad Symantec certificates. There is no option that avoids harming anyone.

      • If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

        You're talking from the perspective of a company where the website is an active and maintained part of their strategy. There are many for which a website is nothing more than a tool, many small shops with small online shopping carts, completely 3rd party outsourced IT where this will do no more than cause them additional expense assuming they are aware of the issue at all before the entire site goes down the red warning hole.

      • You can remove the Symantec root CA now if you prefer.
  • Too Slow (Score:5, Informative)

    by crow ( 16139 ) on Monday September 11, 2017 @10:55PM (#55178649) Homepage Journal

    They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

    There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

    • If you want to, you can remove it from your own browser.
    • Symantec doesn't do free certs, so no one is likely to be using them for non-commercial sites where Let's Encrypt would be appropriate. Most of their business is in the form of EV Certs [wikipedia.org]. The process of applying for an EV certificate can take several weeks, once you've picked the replacement provider, because there are several round trips of paperwork. 90 days is probably long enough, but it's cutting it a bit fine for a lot of people.
    • For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

      Why exactly is Let's Encrypt actually good enough? How is Let's Encrypt any better than StartSSL - which has already had its trust revoked?

      Current initiatives of major browser developers such as Mozilla and Google to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt. - Wikipedia [wikipedia.org]

      Which is extremely humorous considering that Let's Encrypt requires tcp/80 to be open for ACME (Automated Certificate Management Environment) to verify the initial identity of the host name being requested. By requiring tcp/80 to be open you're doubling the attack surface of something that could have only needed tcp/443.

      • Personally, I feel that LetEncrypt should only allow verification using TXT entries in the DNS. Apparently it can do that too, but it's not the default.
      • by guruevi ( 827432 )

        Let's Encrypt so far hasn't yet gotten their hands caught in the cookie jar and they are infinitely more transparent than most paid cert providers. Certificate providers in general do not put up a public ledger of all certificates it has signed, they barely even verify whether you are the owner of a domain and/or site. LE at least requires valid domain setups and unless you've been rooted (at which all bets are off regardless of your CA) you have to put up a challenge to make sure you can renew and certs ar

  • by Holi ( 250190 ) on Tuesday September 12, 2017 @08:51AM (#55180033)
    My company just purchased new 3 year certs from Symantec.
    • by dkone ( 457398 )

      On the converse, our company will be dropping Symantec AV in less than a month (which means we will have zero Symantec on our network). No more SEPM server, I really don't like using it. It is a huge PITA.

A list is only as strong as its weakest link. -- Don Knuth

Working...