Slashdot Mirror

← Back to Stories (view on slashdot.org)

Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates (bleepingcomputer.com)

Posted by msmash on from the taking-a-stand dept.

Starting today, Google Chrome will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log. From a report: By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details. This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.

9 of 172 comments (clear)

  1. Another Google metadata sink? by Anonymous Coward · · Score: 4, Insightful

    So how is this going to be implemented? Every SSL cert is going to be sent to Google for "verification" or is the CT log going to be local and the browser will just search it every time?

    1. Re:Another Google metadata sink? by houstonbofh · · Score: 4, Insightful

      I am ready to break all cert warnings entirely. As a networking professional logging into self signed certs all day, the cure is FAR worse then the disease!

    2. Re:Another Google metadata sink? by Bert64 · · Score: 4, Insightful

      You shouldn't be doing that, your networking devices should have proper certs or your client system should be configured to trust a corporate CA and the network devices then have certs from that. Chances are your job requires you to have elevated privileges on all manner of important networking devices, if someone was able to MITM you they could steal some powerful credentials.

      The only times you should be logging into a device that uses a self signed cert are:

      1, initial configuration
      2, testing

      In the same vein however, it seems browsers are disabling support for weaker algorithms by default, and preventing you from turning them back on. This represents a significant problem, as there are all kinds of old devices which we still need to access for various reasons.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Another Google metadata sink? by caseih · · Score: 5, Insightful

      Are you joking? Self-signed certificates are secure, arguably more secure than commercial CA-signed certificates because I had to register each and every one with the browser. I created the certs myself. A MITM attack is *instantly* detectable to browsers (and to me), unlike a MITM attack using bonafide signed certificates from a breached certificate authority. Browsers make using self-signed certificates somewhat awkward, which is unfortunate. Firefox tells me, incorrectly, that my self-signed certificate is not secure. That is complete nonsense of course.

      Another secure method is to sign with your own certificate authority. Then you just have to convince the browser once to take your CA cert. Like the self-signed certificates, MITM attacks are instantly detectable. This method is preferable to self-signed certs when you have deal with more than a few.

      In my mind for internal servers and devices, my own certificate authority is far more secure than using something like Let's Encrypt.

  2. Er, what about LetsEncrypt by Anonymous Coward · · Score: 0, Insightful

    While most SSL certificates are nothing but a 1/2 page file of random text they can cost upwards of 600$. I've been utilizing LetsEncrypt because...honestly your system can create these certs for free, having them being sold is beyond stupid for a file that isn't even as big as a happy face jpg.

    No one really wanted centralized paid certificate authorities in the first place. Lets encrypt rose out of the backlash from people like me who thought the whole thing with paying money for something so small was beyond stupid and having all these browser warnings about it etc was also equally stupid.

    What should the solution be? NO WARNINGS! That way we do not need lets encrypt or anyone else, if the site has an SSL certificate than it is encrypted and that should be the end of the story, where the cert came from who verified it who it is registered to make no difference what so ever the only thing that matters is that your communication is encrypted. The warnings they put up make it seem like if I didn't go with letsencrypt and just used a self signed certificate that I am out to steal money or perform some other criminal nefarious act and this is absolutely bull. Regardless of wether an SSL certificate is from an authority or self signed the data flowing between client and server is encrypted.

    I get leary when I hear they are going to make the warnings etc even worse when they already go too far in my opinion and make people alarmed and scared over absolutely nothing. Encrypted traffic is encrypted traffic and that is that. There is no need for any 3rd party doing 'verification' of any kind because verification does not create the encryption, verification does not enhance encryption, verification does nothing.

    1. Re:Er, what about LetsEncrypt by crow · · Score: 4, Insightful

      No, we need warnings for certificates that aren't trusted. Otherwise SSL does nothing to prevent man-in-the-middle attacks.

      What would be ideal is to support secure DNS with certificates in the DNS. Then you know you have the right certificate and don't need any certificate authorities at all. Of course, you have to trust the secure DNS. so it's just pushing the trust problem down the road.

    2. Re:Er, what about LetsEncrypt by Actually,+I+do+RTFA · · Score: 4, Insightful

      No, we need warnings for certificates that aren't trusted. Otherwise SSL does nothing to prevent man-in-the-middle attacks.

      Sometimes, not protecting against a MITM attack is fine and I don't need to worry about preventing it. Examples include "being on a LAN and accessing something that is required to be behind https by W3C standards" or "local development of secure services before they're uploaded to test".

      --
      Your ad here. Ask me how!
  3. Re:this is starting to feel like email by Anonymous Coward · · Score: 3, Insightful

    Gotta keep throwing up those barriers to entry. Can't have the small fry getting in on Google's take, now can we?

  4. Self-signed certs don't block first-visit MITM by tepples · · Score: 1, Insightful

    We should allow free self signed certificates with no warnings. I should not have to link myself up to some 3rd party of any kind to operate my website.

    Under your proposal, what distinguishes the self-signed certificate that you generated for your domain from the self-signed certificate that the operator of an intercepting proxy (a "man in the middle") generated for your domain, particularly on a client's first visit?