Google Details Plan To Distrust Symantec Certificates

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Re:Let me

[StikyPad]

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

Good, let's distrust these lying sacks

[guruevi]

Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.

Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

Re:Good, let's distrust these lying sacks

[rudy_wayne]

Here's the real problem:

By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

Re:Good, let's distrust these lying sacks

[sinij]

While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.

Too Slow

[crow]

They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

Re:Let me

[phantomfive]

You shouldn't have an Arris modem anyway. They are back-doored, with hard-coded credentials. Arris security makes Equifax look like Fort Knox.