Slashdot Mirror
Google Bans Symantec Root Certificates
An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.
not ALL symmantec certificates...
From TFA:
As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.
Later in TFA:
Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal.
Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products. End of story. Nobody should be affected.
the link in the article that tries to show proof, is broken. personally i use cacert, so this doesn't bother me either way.
You mean we are going to ban ALL of symantecs root certs because of a few bad apples??? ;)
have you seen my sig? there are many others like it but none that are the same
O cannot see the difference between one root ceritifcate owned my symatic/verisign, and an othter. So they just went bad on one root, they just move their bad practice to an other root CA they own.
Ban all verisign(=symatic) CA issued from now on!
I wind up cleaning my Android device's cert store just because there are a lot of certs that are made by foreign governments, that are not really used, but can easily be abused. China's government has one, for example. Same with Turkey and Saudi Arabia.
What Google should do is figure out the geographical location used, disallow certs that are not directly appropriate to the region, perhaps allowing certs to be turned on/off if one travels. As it stands now, the fewer, the better.
Please, enough of improper use of English in our website! I don't mind so much in posts, but at least can we have decent grammar and syntax in TFS? Our website is not written by 11 year olds who missed Sesame Street's first ten seasons; they are written by adults who are expected to know that the words before and after are usually tied to a certain event, e.g. "after" the aliens came or "before" I lost all my hair. If I knew where you guys work, I could volunteer to work there full time, and help out.
WARNING: Smartphones have side effects--most of them undocumented.
Yep, we really need to rewrite our entire infrastructure in your favorite language platform flavor of the month.
Just to be secure. Think of the children.
Mod me down, my New Earth Global Warmingist friends!
Good luck with that! I'm sure you'll do a great job.
99% of tbe infrastructure of the internet is written in c/c++, every OS, most of the webservers, all of the dns infrastructure, most mail mta's, most routers,. It would be infeasable to perform a complete rewrite.
Have you heard the one about the mentally delusional guy who's about to come around here and claim his Windows program could have somehow prevented certificate problems?
hilarious!
FFS, why do we still not have DANE support in Firefox and Chrome?
I would say that Symantec issuing Certs with Google's name on them would qualify as egregious misrepresentation, on the behalf of Symantec, and be grounds to suing symmantec into oblivion by Google.
Really, perhaps that's a better response for Google.
It could even fall under the context of identity theft and grounds for criminal charges to be filed; another good response and not exclusive of a civil lawsuit based from Google.
See subject: So you can quit your disinformation/misinformation campaign you weak scumbag imbecile, ok?
* Dicks like YOU online make me laugh... how/why?? Easy: You're NOT strong enough technically to validly disprove lists of facts I put out on hosts files being superior to ANY single browser addon redundantly stupid illogical method of adblocking (& hosts do FAR MORE THAN JUST THAT protecting you) -> http://it.slashdot.org/comment... BUT hosts also do a LOT MORE (like stopping botnet communication, being multiplatform OS wide across apps AND stopping DNS security issues too) & far more efficiently as well!
APK
P.S.=> I am glad in 1 capacity that you waste your time this way - it prevents DOLTS like yourself even attempting to write software (you'd make a wreck of it even IF you could manage such a feat), thank god... lol!
... apk
> Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products.
You're misreading that. Google's users, not Symantec, are the ones who requested its removal and Symantec did not say what they're using the cert for ("Symantec is unwilling to specify the new purposes for these certificates").
>can we really consider the entire system to be secure?
It goes far deeper than the coding. It is insecure on many levels. I have deployed real world CAs. I know people embroiled in the day to day problems. While I'm not going to go into details, suffice to say the whole edifice is fragile and subject to many single points of failure and in general, the majority of single points of failure are humans.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Yep, we really need to rewrite our entire infrastructure in your favorite language platform flavor of the month.
Just to be secure. Think of the children.
Improved languages might help a little, but the deep cleaning required is that we get rid of X.509 and TLS and replace it with an auth model that works and crypto protocols that are simple enough that they can be understood and implemented well.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Send me SSL Cert, here is $20 fee.
Rust uses LLVM as it's backend compiler. LLVM is written in C++. Where is your rust god now?
See subject: So stop projecting YOUR ISSUES onto me, ok? Good... now grow up too!
APK
P.S.=> It must truly BLOW to be a waste of life, food, time, oxygen & water "ne'er-do-well" like yourself... apk
See subject: You could put nj-69-69-69-69.sta.embarqhsd.net [69.69.69.69] into hosts but if you're "theoretical bullshit" is using ip addresses vs. host-domain names? Stick to the subject (& quit playing stupid you ignorant bastard troll)...
* :)
(I am GLAD dolts like you waste their lives this way - I don't have competition out of "the trolling waste of life" losers like YOU online!)
APK
P.S.=> Don't you have anything BETTER to do than to be a douchebag online? Apparently not (idle hands are the devil's workshop, so, do yourself a favor & say this out loud where you are "SATAN GET THEE BEHIND ME!" for your sake...)
... apk
My self-signed certs (used internally) are trusted by me.
You jokers are not trustable (Microsoft, Symantec I'm looking at you)
(BTW, ever noticed their root CA's are self-signed, but we're told not to trust self-signed certs?)
insanity.. pure insanity.. Symantec may try to spin it as damage control, but this is an incredibly Bad thing for them to do
the problem is this [Worm] has already been let loose in millions or billions of devices around the world that may never be updated or use a CRL and the darned cert in question is good until 8/1/2028 its on your Windows PC now and unless its invalidated.. it will continue to be used and can be leveraged to install other certificates
this is freakin stupid behavior from Symantec.. stupid stupid stupid
That doesn't mean they actually have any of it to sell you.
They do offer some of the best fake protection that you can download from torrent sites hosted in Somalia.
If a first-time visitor tries to visit a site that exclusively uses DANE, he won't even get as far as the "please use DANE" page without seeing a certificate error. So you'll have to use either a traditional CA (such as WoSign or StartSSL) or Let's Encrypt (if you are root on the server) to handle visitors who don't already have the "extension for both Firefox and Chromium that validates DNSSEC and DANE" installed, as well as visitors using Edge, Safari, or a Safari wrapper. And yes, you'll end up having to cater to Safari because all other web browsers on iOS are Safari wrappers, except for a couple that are remote desktops to a browser running on someone else's computer.
But what's "an auth model that works"? The PGP web of trust isn't it because trust isn't transitive. Just because I can vouch for someone's identity doesn't mean I can vouch for her ability to vouch for others' identities. That's why X.509 certificates have the "cannot act as a CA" flag.
The post is written like one of a grad student attending a diploma mill of a school.
They only thing they're an authority on is processing credit cards, and they only thing they certify is that your credit card didn't bounce.
I really doubt that this will help. We already have enough lazy programmers out in the wild with crazy ideas and utter trust in their toolchain. There are a lot of tools helping you to find possible segfaults. There are no tools to help you understanding and implementing standards. The worst problems happen because someone is thinking outside the box, which sometimes is imposed to avoid security problems.
Rust won't help you avoid such stupid stunts like the webbrowser accepting iframes for fav-icons.
Rust also won't help you if you optimize a security workflow and give away infomation before securing the connection.
And lot of other shortcuts taken for convinience.
Hardware ASA? Stupid to depend on THAT alone (especially when routers get bushwhacked like mad, DNS settings anyone??)
CISCO "hardware ASA" = bitten by typical JAVA bugs http://www.theregister.co.uk/2...
(As is ALL of cisco's stuff lately & by FAR MORE than just that - want more evidence? Ask... & "ye shall receive" (loads of it)).
* By the way - I believe in LAYERED SECURITY (hosts are a big part of it) stupid -> http://www.bing.com/search?q=%... & you're talking to the guy that practically "wrote the book" on it...
(I just don't DEPEND ON IT SOLELY, but I use a hardware firewall solution in combination with OS side firewalls + security hardening galore with patching + antivirus & yes, hosts...)
APK
P.S.=> To be continued... apk
When I write software (in which NONE OF YOU FOUND A BUG IN since it's intro publicly in 2012)? I do! So do others (respected noted others in security who audited my code for safety OR he would not host it (let alone HIGHLY recommend it also)) -> APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...
* :)
MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
Its 32-bit model too https://www.virustotal.com/en/...
Its installer too -> http://f.virscan.org/APKHostsF...
APK
P.S.=> Let's see a no skills incompetent like YOU, troll, do better... ok?? I'll be waiting till the "12th of never" for THAT miracle to happen outta the TROLLING "ne'er-do-well" likes of YOU (loser)... apk
">trusting methods of computer identification on 1998 technology as a viable security layer - by Anonymous Coward - A LOSER WITH NO BALLS WHO WON'T IDENTIFY HIMSELF OR STAND BEHIND HIS BULLSHIT EITHER on Sunday December 13, 2015 @09:25AM (#51109513)
Big mistake: Respected security pros back me on hosts efficacy in security (malwarebytes, eset/nod32, symantec, & even O'Reilly):
E.G.#1 - Oliver Day (Symantec) too-> http://www.securityfocus.com/c...
E.G.#2 - Aryeh Goretsky NOD32/ESET hosts = good security-> http://it.slashdot.org/comment...
E.G. #3 - MalwareBytes' hpHosts' Admin hosts + RECOMMENDS my APK Hosts File Engine 9.0++ SR-2 32/64-bit-> http://hosts-file.net/?s=Downl...
E.G.#4 - OReilly - For security -> http://oreilly.com/pub/a/windo... & For speed -> http://www.oreillynet.com/pub/...
APK
P.S.=> You FAIL miserably outnumbered, outthought, outsmarted & just plain OUTED - who backs you? NOBODY... lol!
... apk
Where the HELL do you see me trusting antivirus alone? Answer that & I'll cut you to shreds further... that is, if the links to my security guide earlier (#1/4 RIGHT OFF THE BAT HERE SHOOTING YOU DOWN whimp) didn't already on this note OR the link below as well!
* :)
(You're a fool - a cowardly little TROLLING FOOL that can't even identify himself to stand behind his words... lol!)
APK
P.S.=> I use antivirus programs (one resident, 2 antispyware as scanners only manually operated here & periodically scanned + updated daily IF possible) but again, I do NOT depend on them solely - I use "LAYERED SECURITY/DEFENSE-IN-DEPTH" & did well on guides I've written for it (paid for it in fact winning that money) -> http://www.bing.com/search?q=p... (See JANUARY 2008 Alexander/New York there)
Have YOU done the same OR BETTER, Mr. NO BALLS unidentifiable coward? ANYONE TRUSTING YOUR STUPID COWARDLY NO BALLS TROLL ASS IS A FOOL!... apk
"Proprietary windows program. Yeah, that's real secure" - by Anonymous Coward on Sunday December 13, 2015 @12:55AM (#51108407)
See subject & this data that shoots your unidentifiable coward ass down in flames easily:
MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
Its 32-bit model too https://www.virustotal.com/en/...
Its installer too -> http://f.virscan.org/APKHostsF...
* :)
APK
P.S.=> Tell us - what has a cowardly NO BALLS little unidentifiable troll that can't identify himself to stand behind his bullshit like YOU done better than the above? ZERO, lol... loser!
... apk
The CAB forum best practices document requires CA not to issue SHA-1 signed certificates after Jan 1, 2016.
That includes certificates that chain to SHA-1 intermediates or roots.
Chrome has been ratcheting up warnings on sites with these certificates for some time.
This is a request from Symantec to remove a root certificate that will no longer be in use.
That is just good security as the certificate in question is valid to 2028.
Not that Google may not have other issues with Symantec.
Symantec has a free replacement program for any sites still using certificates issued from this CA root cert.
Not a big issue unless you have not noticed that SHA-1 signatures have been being phased out over the last 10 years.
See subject: If it's "so bad" then why does the likes of Malwarebytes folks host & recommend it - Have YOU personally done better? No.
* :)
When YOU can show us YOU even code, I might listen... you're no judge of ANYTHING until then & certainly NOT my peer!
(You can STFU now, "ne'er-do-well" troll: Especially after this proof of its safety & quality as well as who verified my code (best in the business) http://tech.slashdot.org/comme... the likes of which a TROLL like you will NEVER be able to produce, lol...)
Should I "Open SORES" it? Hell no - do you even KNOW that Chrome itself due to being Open SORES was used to create a malware doppleganger of it? It was. Wake up.
APK
P.S.=> Hosts run on ANYTHING with a normal BSD derived IP stack - thus, the data output result of the program IS universal & multiplatform... all it needs to be - do YOU deny that? Go for it... I'll crush you even more, lol! apk
In most cases, nobody needs to know the identity anyway. It would be far more important to know that it is the same website I looked at before
That's called "key continuity management" (KCM) or "trust on first use" (TOFU). SSH uses it but recommends that you verify the key fingerprint out of band. It could be used with HTTPS or email as well, but without a way to verify the fingerprint out of band, it's vulnerable if your connection is compromised by a man in the middle from day one. Bug 460374 relates the story of how such an MITM in the wild was discovered.
I was wondering why my cable company would be using an invalid certificate for the secure portions of their site. Now I know.
See subject: Why don't you just put yourself in a jail cell now? It's better than what I'd do to you (or my insurance company to you which might be a lot worse).
* Of course that assumes you have any balls, & obviously based on your ac troll threats? You don't.
APK
P.S.=> Only a pussy does what you do (especially in "geek angst" after my last few posts splattered you all over /., lol, easily) weasel boy, lol... apk