Google Details Plan To Distrust Symantec Certificates

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Should do the same with Google certificates

Seriously getting tired of this company

Re: Should do the same with Google certificates

[LesFerg]

Brave seems a bit slow to start up and load the first page, otherwise the basic features seem to be ok.

Re: Should do the same with Google certificates

[negRo_slim]

citation needed

Re: Should do the same with Google certificates

[LT218]

Regardless of what Google does or doesn't do correctly regarding their own certs, Symantec has nobody to blame but themselves for this one. They deserve what they're getting because they played fast and loose with the rules to make a buck.

That's fine

I don't trust anybody and neither should you.

Re:That's fine

[Paradise+Pete]

I don't trust anybody and neither should you.

I'm not buying that.

Google this, Google that

I think it's about high time we actively start working around Google.
Sure they used to be cool, like 20 years ago. Now they're just a powerhungy privacy eating machine and very far from doing "no evil"; they need to go.

Re: Google this, Google that

What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

Re: Google this, Google that

[gl4ss]

you can use a bunch of others like duckduckgo, bing, hotmaill.. ..

ehehehheheahahah.

anyways, most alternatives use google parts anyways. thats a bummer.

Re: Google this, Google that

The company I work for uses Google for hosting emails, group discussions, videoconferencing, document management etc. I can't just opt out of using Google products and still be able to do my job.

Re: Google this, Google that

[LesFerg]

Yes but surely you wouldn't use the same identity for your work and personal life?

Re: Google this, Google that

[TheRaven64]

We use Microsoft's equivalents because, when it came to negotiating the license, the Google approach was take it or leave it, whereas MS worked with our IT folk to put together a contract that didn't violate any NDAs or regulatory requirements for data integrity that different departments had. The Google license was basically incompatible with any organisation that has any legal data protection requirements.

Privacy isn't just something that's nice for individuals to have, it's an absolute requirement for a lot of businesses. If you're doing anything with medical records, then you must not share them with anyone without the correct compliance procedures in place. That's an extreme example, but most companies have commercially sensitive data. Similarly, most companies have data retention policies that require that things be deleted after a certain amount of time, but Google has no way of guaranteeing deletion (as a core part of their distributed filesystem design: deletion is implemented by simply stopping replicating some data and waiting for the drives that it's on to fail).

Re: Google this, Google that

[Wootery]

I disagree.

With what? That privacy is important, or that Google have inflexible terms? Be specific.

The fact that some Fortune 500 company is trusting Google with sensitive data, doesn't mean they should be doing so.

Re: Google this, Google that

[Gr8Apes]

And Google has always been an advertising company with cool technology. Every single move Google makes is targeted towards increasing their ad revenue.

The only thing I take issue with there is "with cool technology". I've been forced to use their stuff. It only seems cool until you actually use it. Then the warts, boils and turds come out in force. It's almost as bad as MS tech, maybe worse these days.

Re: Google this, Google that

[chihowa]

He covered that: "Google is only useful to people who make themselves dependant on them for some reason."

Let me

[Ol+Olsoc]

Tell you about Symantec.

I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.

Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.

I try opening a few other web pages in safari and then Firefox. Same thing happens.

Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.

So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.

I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.

A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.

Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.

Re:Let me

[StikyPad]

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

Re:Let me

[sgage]

You forgot the rough corn cob...

Re:Let me

"bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper. "

Ok we get it! Did you really have to go into such detail? Some of us are at work and it gets real embarrassing to pop a boner in front of everyone.... Geez.

Re:Let me

[jonnythan]

I suppose being a nerd doesn't mean you actually know anything...

Re:Let me

[sinij]

Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

Re:Let me

[connect4]

+1, the grandparent is an asshole

Re:Let me

[llamahunter]

So, how do you really feel about Symantec?

Re:Let me

[DNS-and-BIND]

Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet, Slashdot removed the "News for Nerds" motto some years ago. Now it's just a property of dice.com or whoever the hell owns it now.

You can see on the front page, comments barely go into triple digits any more. Slashdot is a shell, and I don't know why I keep coming here. Habits are hard to break.

Re:Let me

[DNS-and-BIND]

It's commonplace in other parts of the world, China, India, Philippines, etc. They'll not only inject ads into your browsing session, but on mobile they'll put one of those Apple-style floating circles in the corner, to "help" you.

Re:Let me

You called Arris? Arris doesn't do MITM, they do hardware. Your ISP does MITM. Time Warner (now Spectrum), Cox, Xfinity, or whatever, is your ISP. That's who you call. Also, Arris is in bed with McAfee, not Symantec. Are you using your ISPs DNS servers on your router? STOP DOING THAT IMMEDIATELY! Use OpenDNS, or Comodo, or Level3, or anything else! If you still see anything off, use a VPN.

Re:Let me

[chuckugly]

You don't know how computers work, go play in reddit.

Re:Let me

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

Re:Let me

[phantomfive]

You shouldn't have an Arris modem anyway. They are back-doored, with hard-coded credentials. Arris security makes Equifax look like Fort Knox.

Re:Let me

[TheRaven64]

10 minutes? My laptop's SSD can manage 300MB/s sustained writes on a good day. Ten minutes is enough to write 175GB. The drive is 1TB and about 900GB is used. Assuming that I had the data in a form that I could just stream to the disk without the FS getting in the way, it would take around 50 minutes, and that's assuming that the SSD could actually sustain that write speed for that long (it can't). Either your system disk and your backups are NVMe, or you don't have much data on your computer...

Re:Let me

[Big+Hairy+Ian]

Ah yess Symantec https://www.flickr.com/photos/...

Re:Let me

[AmiMoJo]

ISPs have been screwing to HTTP for over a decade around here. When I have issues the first thing I check is if I'm not connected to my VPN for some reason, and if I get the same result on a mobile connection. I've never had to go beyond checking those two so far.

Re:Let me

[Holi]

Or change your DNS servers

Re:Let me

[Holi]

Cable companies using DNS redirects isn't something you expect? That's been the norm for years now.

Re:Let me

[Gr8Apes]

yep, started running my own DNS setup to completely ignore my ISP. Their stupidity continues.

Re:Let me

[Gr8Apes]

Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet,

Google effectively toilet papered its "Don't be Evil" motto when it went public in 2004.

Re:Let me

[chihowa]

Which was really a pretty sketchy motto to begin with. Who has to remind themselves not to be evil so much that it becomes a motto?

Re:Let me

[Bob+the+Super+Hamste]

Not bad enough. I'm thinking the dildo from Seven

Re:Let me

[dkone]

You say that like it is an insult. The real joke is on you though. Slashdot is a mere shell of what it once was. Given the choice between the two, Reddit is going to win.

DK

Re:Let me

[Gr8Apes]

Not really that sketchy, IMHO, as when they started it was just a search engine, not an ad serving platform.

Re:Let me

[chuckugly]

You are probably right.

Re:Let me

[Ol+Olsoc]

Both the rough corncob and the dildo fromSeven is good!

Re:Let me

[Ol+Olsoc]

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

Oh, dear, I'm getting a lecture. Lookie fellow, this transpired over time, and it was rather shocking that even McAffee, who don't have a lot of ethics to begin with, would hijack a browser.

I'd have to first Know that McAffee and Arris had entered into this unholy matrimony, Then I'd have to not be suspicious of of links that gave me 1, bad certificates ( perhaps you as a self acknowledged genius like bad certificates) and the other link for the TOS, didn't show me anything.

What they may or may not have had on my computer is irrelevant as week old smegma. If anything was there, it needed to go, The point is that all of my traffic was getting redirected and McAffee was then making a determination as to whether I could see it or not.

So the computer gets re-imaged regardless, because I don't trust McAfee, and this little trick didn't make me feel warm and fuzzy either.

But hey, you just click on the only link that would allow you to continue internet accss, and don't worry about the TOS that it doesn't allow you to see - sounds like expert level computer savvy to me. In the meantime, I've inherited 10 million USD, and need you to open an account in the Netherlands to deposit money for the unfortunate bribes that must be made to conduct business. So if you would please open the account, and deposit the amount of 10,000 dollars USA, you will be richly rewarded when the total amount of money comes through.

Yours in Christ Jesus, Barrister Mutambo Ngumbo

Sounds legit.

Re:Let me

[Ol+Olsoc]

Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

Exactly. https://en.wikipedia.org/wiki/... It is not unusual for a hijack to also install a keylogger, so at the time, this happened, I wasn't for certain that I wasn't totally pwned. Seriously unethical, and regardless, I had no internet access unless I either called Arris and got the shit turned off, or clicky clicky on a mysterious link that would install or do gawd knows what.

What is a little surprising is self acknowledged experts who seem to think otherwise. I personally am interested in their motives.

Re:Let me

[Bob+the+Super+Hamste]

I'll accept that.

Re:Let me

[Ol+Olsoc]

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

Okay, since all of the experts here on Slashdot are pillorying my for my stupidity, now that I have a security professional, I'd like a security professional's answer.

You are sitting at a computer that has been functioning properly for a long time. Typical security procedures, an anti-virus, regular updates, firewall both on the computer and on the router.

Now, instead of any internet access, when you open a browser, you get one screen only. An announcement that the router you are using's manufacturer and a sketchy internet security company have entered into a partnership to protect you.

Three links on the page. Two do not work, or to be more precise a 400, with a bad certificate?

Opening more tabs or windows gives you another screen like the first one. Bookmarks and typed URL's give you the same page. Nothing gets rid of the page that demands you click on a link to get internet access. Keeps coming back like Chucky.

As a security professional, do you recommend clicking on the third link that they declare will give you internet access again? You will apparently get internet access again, but will you get anything else?

Re: Let me

[Ol+Olsoc]

How did you conclude it's the ISP? If Symantec and Arris enter into a partnership it's even possible you got bum router firmware from Arris.

In a world where every device can be updated automatically at any time, any device can be updated at any time.

But thanks for the correction.

It wasn't the ISP. It was Arris and Symantec. But that was only confirmed by contacting Arris, and later Symantec.

I wonder if slashdotters think that any webpage they go to is legit. If so, it brings some understanding to the number of security breaches like Equifax et al. Security like that is hard to find. Or not.

Re:Let me

[Ol+Olsoc]

You don't know how computers work, go play in reddit.

Oh yes, I'm the dumbest asshole on the planet.

Tell me, if you lost internet access, and the only way you could get it back was to click on the only webpage that showed up, would you without hesitation, click on that link? You either have no access, call the people who are presumably the ones who did this to you, or click the link.

If you answer anything other than you contact the people responsible, you have absolutely no place telling me I know nothing, and frankly, you need to stick to surfing shemale midget scat porn and posting on facebook, Chuckugly.

You are Dunning- Kruger personified.

Re:Let me

[chuckugly]

I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.

Re:Let me

[Ol+Olsoc]

I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.

So anyhow, you would not have engaged in communications with the people who claimed to have enabled this? Elucidate, and instead of being a slashdot genius, tell me why I should not have.

Re:Let me

[chuckugly]

You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

It's cool if you don't want to know how the stuff you use works, I bet almost no one knows how all the stuff they use works, there is a lot of technology in use today. But this is supposed to be a technical site; different standards. And no, I would not have called Arris, but then I don't use the crap modem or router the ISP supplies either.

In other news, McAfee are the ones who actually have a deal with Arris to supply a secured router, Symantec makes their own secure router, and sells it via Best Buy and Amazon, among other stores. I would strongly suspect the culprit was your ISP or some flakey browser addon. Consider not using the ISP DNS servers, and learning to use tools like ping and tracert, they are pretty simple and can shed a lot of light on simple problems.

Re:Let me

[Ol+Olsoc]

You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

No, actually I did not. say tha. You might think that you are smarter than me in all ways, but what I wrote, and which for some unknown reason you lied about is:

"Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now!

That is cut and pasted from my post. You can put that in quotes. Not what you did. Because what you put in quotes was untrue.

An unreasonable request? I did not know at the time if "anything" that had anything to do with Symanec was there, but if anything was, it had to go. Not a reasonable demand? As the smart internet guy, was the presence of any Symantec installed software impossible? Explain. Not that I'd believe you now, because you'll just make shit up. That's what happens when you lie. Not much lower in my book than someone who is a liar.

If someone came to you as a security IT guy with those symptoms, you would not inspect the computer to see if anything had been installed on it? Wouldn't even wonder because you knew already that there was none? Just bloviate about how smart you are? Would you bet your job on it? In some places you would lose it. Anyhow, no need to respond, because I don't believe anything proven

Re:Let me

[chuckugly]

Yeah, it was paraphrased. The facts presented are the same.

Yes, it's unreasonable to ask a router OEM to alter the configuration of your PC unless you have some sort of contract with them.

My first suspicion given the very limited info you have provided is that your browser traffic was being routed through some sort of sandboxing and/or deep inspection proxy, but I can't be sure without actually having a look. The agency being used to implement that redirection could be many places but most likely it's something you installed, intentionally or not.

Your complete lack of a clue as to what exactly was going on tells me that either it was not implemented locally, or you are completely clueless. I prefer to think maybe it was something done in your router and you are mentally competent, which makes me recommend you stop letting 3rd parties control your router. In any case, no, I'd not call the OEM, nor would I reimage my PC. That would be idiotic.

Re: Let me

[Brockmire]

If you didn't install or change any software yourself, yes, troubleshooting as a DNS issue would be first priority. Wouldn't you want to find out how the mysterious infection occurred before reimaging and having it reinfected? Seriously, this was poor troubleshooting. Do you freak out the first time signing into a hotel hotspot with walled garden redirect? If not, you're smarter than OP.

What about Firefox?

What's Mozilla's plan? Are they going to continue to trust the old certs?

Re:What about Firefox?

Their lets-just-copy-whatever-chrome-does -management team goes to Hawaii for some strategy meetings that take a week and concludes that while they do not understand why chrome did some change, they will copy that change anyway.

Re:What about Firefox?

[sasparillascott]

They're planning on matching Google's plan: https://www.thesslstore.com/bl...

Sure is alot of nasty replies in the field here today. You'd almost wonder if someone else (competitor) was mounting a sponsored campaign to tear down the site.

TRUST is supreme

[swell]

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

Re:TRUST is supreme

[Sloppy]

One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).

When an introducer is sort of trusted, and sort of not, it should be entered that way and handled that way. And you should have multiple introducers, to make up for the fact that you can't possibly trust any of them completely (and also the fact that your trust opinions change). Losing a popular CA should have minimal impact, provided that each identity is certified by several others.

Yet we still don't use this level of tech on the web, even though it (barely) pre-dates the web.

Re:TRUST is supreme

[deesine]

"disgraced themselves at some time and somehow survived"

They survived because for a large number of people trust isn't supreme: they are liars, they lie to themselves and to others, and when liars discover that a company they use has lied, well, deep down they know it's not that bad. They like their Volkswagen, nay love their Volkswagen, and so internal logic concludes it's not worth changing car companies over some lie that hardly affected them. For these people, and to an extent all people, trust is set right next to convenience and perception of worth.

Re:TRUST is supreme

[HiThere]

When it comes to car companies, why did you single out Volkswagen? They weren't the only one to cheat on the tests, most of the companies have been found to have done so since then. They were just the first one discovered. Or were you thinking of something else.

With cars, I would have picked Ford for the "Ford firebomb" otherwise known as the Pinto.

Re:TRUST is supreme

[goose-incarnated]

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

I think just about every single company you've listed proves your point wrong - we have seen time and time again that companies who lose the trust of their userbase still manage to stay in business, sometimes even thrive.

Companies have proven in practice that without TRUST it'll still be business as usual.

Good, let's distrust these lying sacks

[guruevi]

Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.

Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

Re:Good, let's distrust these lying sacks

[rudy_wayne]

Here's the real problem:

By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

Re:Good, let's distrust these lying sacks

[sinij]

While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.

Re:Good, let's distrust these lying sacks

[TheRaven64]

A year seems a long time. I'd start by immediately downgrading all EV certs from Symantec to normal certs. Then, a month later, remove the padlock icon entirely and treat them as if they were HTTP. Two months after that, distrust them entirely.

As for those innocent businesses: they were sold a cert by Symantec with 'accepted by all major browsers' in the advertising. They're going to get a full refund (and if they don't, you can bet that the class action suit will hurt Symantec more than giving refunds). If there's a rush to switch, you can bet that there are a lot of CAs that would give a discount for the first year for existing Symantec customers.

Re:Good, let's distrust these lying sacks

[thegarbz]

If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

You're talking from the perspective of a company where the website is an active and maintained part of their strategy. There are many for which a website is nothing more than a tool, many small shops with small online shopping carts, completely 3rd party outsourced IT where this will do no more than cause them additional expense assuming they are aware of the issue at all before the entire site goes down the red warning hole.

Re:Good, let's distrust these lying sacks

[AmiMoJo]

It would be better to let the customers get hurt I'm afraid. They can sue Symantec for any costs or lost revenue. If it's that critical then Symantec should have had indemnity insurance and the customers should have had insurance.

Don't forget, the consequence of delaying is that innocent people can be victimized with bad Symantec certificates. There is no option that avoids harming anyone.

Re:Good, let's distrust these lying sacks

[edtice1559]

You can remove the Symantec root CA now if you prefer.

Too Slow

[crow]

They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

Re:Too Slow

[phantomfive]

If you want to, you can remove it from your own browser.

Re:Too Slow

[TheRaven64]

Symantec doesn't do free certs, so no one is likely to be using them for non-commercial sites where Let's Encrypt would be appropriate. Most of their business is in the form of EV Certs. The process of applying for an EV certificate can take several weeks, once you've picked the replacement provider, because there are several round trips of paperwork. 90 days is probably long enough, but it's cutting it a bit fine for a lot of people.

Re:Too Slow

[jawtheshark]

Personally, I feel that LetEncrypt should only allow verification using TXT entries in the DNS. Apparently it can do that too, but it's not the default.

Re:Too Slow

[TheRaven64]

EV certs show that the CA has performed some validation that the certificate is associated with a specific organisation, not just with a domain name. It's how you know that the cert for paypal.com is owned by PayPal Inc. and the domain for paypal.scammer.com is not.

Re:Too Slow

[guruevi]

Let's Encrypt so far hasn't yet gotten their hands caught in the cookie jar and they are infinitely more transparent than most paid cert providers. Certificate providers in general do not put up a public ledger of all certificates it has signed, they barely even verify whether you are the owner of a domain and/or site. LE at least requires valid domain setups and unless you've been rooted (at which all bets are off regardless of your CA) you have to put up a challenge to make sure you can renew and certs are short enough in length that it both encourages automation and reduces the timespan attackers have to attack the weaker protocols.

The rest of your post is BS - you can do LetsEncrypt specifically via HTTPS (TLS-SNI-01 challenge which is described in the RFC) and most places have port 80 forwarded to port 443 being handled by the same daemon (apache or nginx) but it's also entirely possible to set up your own ACME CA protocol for internal usage or that uses alternative methods of verification.

Re:Too Slow

[Sloppy]

This had *nothing* to do with being kind to Symantec and the old Verisign business, it's all to do with giving users a chance to update their environment before everything breaks.

If an untrusted cert breaks things, then the user's browser is defective.

It should work, but the UI should indicate that it's not totally sure who the user is connected to. That's ok to do, because it's true. (An untrusted cert should never, ever have any negative consequences or keep things from working if the user so chooses; it should just have a lack of positive consequences.)

If we are still using defective browsers, then it is good to break things now, so that we'll have incentive to fix the browsers. Otherwise, this is going to keep happening whenever CAs fuck up.

We are institutionalizing CA unaccountability by saying "it needs to keep looking good" is more important than "it needs to accurately reflect how sure we are."

Re:Too Slow

[jawtheshark]

If you can hijack DNS, you can point it to a host under your control and do the verification with LetEncrypt using the current system. The current system doesn't protect you at all from DNS hijacking.

What great timing

[Holi]

My company just purchased new 3 year certs from Symantec.

Re:What great timing

[dkone]

On the converse, our company will be dropping Symantec AV in less than a month (which means we will have zero Symantec on our network). No more SEPM server, I really don't like using it. It is a huge PITA.

Windows Phone

[tepples]

We use Microsoft's equivalents

Including Microsoft's purported equivalent to Android? If so, how did you manage your migration from Windows Phone when Microsoft announced its end of life?

Re:Windows Phone

[TheRaven64]

Nope, just the Office 365 stuff (and their associated cloud file store thingy). I don't use it personally (except to get the bundled version of PowerPoint, because DARPA does so love PowerPoint slide decks), but it's popular in some other departments. My understanding is that the Android and iOS versions of Office give you a fairly seamless transition from their Windows Phone equivalents: just log in with the credentials and all of your files is available. We don't use their mail system, because our mail admins have been running our internal email system since before email went over the Internet and have more experience than any cloud provider is likely to have.