Google Details Plan To Distrust Symantec Certificates

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

What about Firefox?

What's Mozilla's plan? Are they going to continue to trust the old certs?

Re:Let me

[StikyPad]

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

TRUST is supreme

[swell]

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

Good, let's distrust these lying sacks

[guruevi]

Basically, what happened is that Symantec allowed "foreign entities" (in countries like China, Italy, Brazil, Korea, Japan, Spain etc) to create certificates using it's root certificate.

Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

Re:Good, let's distrust these lying sacks

[sinij]

While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.

Re:Let me

[sinij]

Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

Too Slow

[crow]

They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

Re: Google this, Google that

What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

Re:Let me

[phantomfive]

You shouldn't have an Arris modem anyway. They are back-doored, with hard-coded credentials. Arris security makes Equifax look like Fort Knox.