Google Details Plan To Distrust Symantec Certificates

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Google this, Google that

I think it's about high time we actively start working around Google.
Sure they used to be cool, like 20 years ago. Now they're just a powerhungy privacy eating machine and very far from doing "no evil"; they need to go.

Re: Google this, Google that

What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

Re: Google this, Google that

The company I work for uses Google for hosting emails, group discussions, videoconferencing, document management etc. I can't just opt out of using Google products and still be able to do my job.

Let me

[Ol+Olsoc]

Tell you about Symantec.

I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.

Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.

I try opening a few other web pages in safari and then Firefox. Same thing happens.

Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.

So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.

I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.

A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.

Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.

Re:Let me

[StikyPad]

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

Re:Let me

[jonnythan]

I suppose being a nerd doesn't mean you actually know anything...

Re:Let me

[sinij]

Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

Re:Let me

[DNS-and-BIND]

It's commonplace in other parts of the world, China, India, Philippines, etc. They'll not only inject ads into your browsing session, but on mobile they'll put one of those Apple-style floating circles in the corner, to "help" you.

Re:Let me

You called Arris? Arris doesn't do MITM, they do hardware. Your ISP does MITM. Time Warner (now Spectrum), Cox, Xfinity, or whatever, is your ISP. That's who you call. Also, Arris is in bed with McAfee, not Symantec. Are you using your ISPs DNS servers on your router? STOP DOING THAT IMMEDIATELY! Use OpenDNS, or Comodo, or Level3, or anything else! If you still see anything off, use a VPN.

Re:Let me

[chuckugly]

You don't know how computers work, go play in reddit.

Re:Let me

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

Re:Let me

[phantomfive]

You shouldn't have an Arris modem anyway. They are back-doored, with hard-coded credentials. Arris security makes Equifax look like Fort Knox.

Re:Let me

[TheRaven64]

10 minutes? My laptop's SSD can manage 300MB/s sustained writes on a good day. Ten minutes is enough to write 175GB. The drive is 1TB and about 900GB is used. Assuming that I had the data in a form that I could just stream to the disk without the FS getting in the way, it would take around 50 minutes, and that's assuming that the SSD could actually sustain that write speed for that long (it can't). Either your system disk and your backups are NVMe, or you don't have much data on your computer...

Re:Let me

[AmiMoJo]

ISPs have been screwing to HTTP for over a decade around here. When I have issues the first thing I check is if I'm not connected to my VPN for some reason, and if I get the same result on a mobile connection. I've never had to go beyond checking those two so far.

What about Firefox?

What's Mozilla's plan? Are they going to continue to trust the old certs?

TRUST is supreme

[swell]

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

Good, let's distrust these lying sacks

[guruevi]

Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.

Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

Re:Good, let's distrust these lying sacks

[rudy_wayne]

Here's the real problem:

By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

Re:Good, let's distrust these lying sacks

[sinij]

While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.

Too Slow

[crow]

They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

Re:Too Slow

[phantomfive]

If you want to, you can remove it from your own browser.

Re: Should do the same with Google certificates

[LesFerg]

Brave seems a bit slow to start up and load the first page, otherwise the basic features seem to be ok.

What great timing

[Holi]

My company just purchased new 3 year certs from Symantec.