Google Details Plan To Distrust Symantec Certificates

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Let me

[Ol+Olsoc]

Tell you about Symantec.

I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.

Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.

I try opening a few other web pages in safari and then Firefox. Same thing happens.

Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.

So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.

I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.

A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.

Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.

Re:Let me

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

What about Firefox?

What's Mozilla's plan? Are they going to continue to trust the old certs?

TRUST is supreme

[swell]

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

Re: Google this, Google that

What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

Re: Google this, Google that

The company I work for uses Google for hosting emails, group discussions, videoconferencing, document management etc. I can't just opt out of using Google products and still be able to do my job.