Slashdot Mirror
Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com)
When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
... I'm going back to IE on my XP.
It little behooves the best of us to comment on the rest of us.
...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
FF FTW, but even they're getting wonky. Pale Moon??
No sig for you! Come back one year!
Noooooo!
It's not about you. It's about the person viewing your site. Yes it does need a certificate. Imagine someone coming to your site is in a country where your content is illegal because thoughtcrime?
Or less extreme, imagine if someone were to MITM the traffic between your server and the client. They come to look at your stuff, but are instead served malware and since it's a man in the middle attack the customer and probably his/her AV believes it is your site doing the malware serving.
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt. It's easy and it's free and the only excuse not to have one in today's day and age is that you are shill for the various TLAs that would love to get malware onto computers of people who come looking for your kind of content. The only question at this point is whether or not you are a willing shill.
Google forcing "security" on people it has already stolen identities from.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Who gives a rat's ass about symantec? Sheeple will adjust.
That's a truthful headline; the one on the article is speculative since it is unknown how many of the remaining sites will get new certificates by next week.
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.
I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
CAs might suck, compromised ones suck more but websites not keeping up should be shutdown.
Chrome 70's Upcoming Security Change Will Break Chrome.
The websites will still work just fine.
Certificate issuance has become yet another excuse to indulge rent-seeking behaviors. Just burn it all down.
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
"National Security is the chief cause of national insecurity." - Celine's First Law
I sort of semi-agree. But...
Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.
https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.
This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.
This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.
So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
And if they don't they get what they deserve.
Squatty Potty
Not Squatty Potty!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Even if one cannot open a connection to the device from the Internet, the CA still has to be able to resolve the device's name through the Internet in order to issue a certificate. Otherwise, you're stuck using self-signed certificates, and some mobile and set-top devices reportedly don't let the user examine the fingerprint of a self-signed certificate that a device presents to ensure that it is the intended certificate.
Besides, there are plenty of legitimate reasons to access network-attached storage over the Internet. You might trust it more than Google Drive or Microsoft OneDrive, for instance, or the storage connected to your single-board server might be bigger than the 2 GB that Dropbox gives you.
What's so "rent-seeking" about, say, Let's Encrypt? It issues trusted domain-validated certificates without charge to just about anyone who owns a domain name.
Not just that but the whole "HTTPS equals security" is a fundamentally flawed concept because not only as you point out the CA system is a mess but there are so damned many sites where it makes ZERO sense to have it encrypted in the first place!
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2? Or the bazillion other websites that again only serve static .txt and .jpg images that haven't be updated in forever (and probably won't be) that were made before the whole HTTPS kick? The only excuse I've heard is "it keeps "teh gubmint" from listening in"...but they are in the backbone so I really don't see that making a diddly dick of difference and do I REALLY need to give a shit if some damn spook knows I like looking at ancient tech on some website made when Geocities was a thing?
Finally with the CAs seeming to get pwned at least a couple times a year I don't even know if this should count as security theater anymore, maybe security karaoke? As in "pretends to be security but is about as good as your average barmaid trying to sing Patsy Kline on karaoke night?". So unless this is a way for GOOG to slurp down more data than a drunk at a free mini-bar (which really wouldn't surprise me) I'm really not seeing a big selling point for any of this, hell especially not from GOOG who just got who knows how many users pwned with their GOOG+ fiasco...whats the upside of this whole mess again?
ACs don't waste your time replying, your posts are never seen by me.
Sounds EXACTLY what we had in the early 00s with IE...and we all remember what a clusterfuck that turned out to be. Protip: Having only ONE corp control the way sites are rendered on the net? Is a BAD THING because if its one thing we should all know by now is that ALL of these corps are run by sociopath douchenozzles that will happily tilt the scales to give themselves a bigger slice of the pie.
Maybe its about time we start talking about slamming GOOG with an antitrust and hopefully break them up? Because APPL and MSFT don't seem to have enough of the pie to be a real threat but with GOOG? Starting to look a little scary,little too much like MSFT of the late 90s.
ACs don't waste your time replying, your posts are never seen by me.
google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.
1 site in every 878 not working with a browser doesn't seem like much. Have things actually gotten that stable?
I don't think slashdot has been up 1/100th of the last year. Wasn't there an outage of several days less than a year ago?
Even Amazon has had significant outages this year. Netflix was down some. No site seems above having an outage. And even if they are, there are still many times a year that my own internet goes out - certainly more often than my electricity goes out.
The internet is not a stable, always up environment and likely never will be. Electricity distribution is over a century old and not yet stable. Water distribution is older than that and still goes out.
Why do people insist on making a big deal out of an outage for a tiny few irresponsible sites?
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
A company wants to make the internet safe for its own ads.
Find a better browser.
Domestic spying is now "Benign Information Gathering"
Re "Imagine someone coming to your site is in a country where your content is illegal because thoughtcrime?"
Such governments will have fully upgraded to tech that can track all their nations users browser uses.
A VPN would be of more help than a browser.
Let the rest of the world enjoy the internet and "that" country can have its users discover the better security of a great VPN.
Domestic spying is now "Benign Information Gathering"
Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.
Now I'd rather they support DANE, but even what they are doing now does improve matters.
Apple owns almost half the mobile phone market in the US and probably over 3/4 of the ones owned by middle class and up consumers. They have just as much sway to force changes in CAs as Google, they are also distrusting Symantec BTW.
I've heard this before during a Trojan Commercial.
Let's hope that will help those people who bought hyper-expensive Verisign certs understand that for 1/10 of the price, they had a better working alternative.
Slashdot, fix the reply notifications... You won't get away with it...
Google changed the "don't be evil" line a while ago, it's now:
"Welcome to my underground lair."
There are two rules for success:
1. Never tell everything you know.
But "move fast and break things" is what "start-ups" are all about, innit?
You just have to suck up the inconvenience to belong. It's what we tell the users, so why can't google tell you?
What ever happened to "don't be evil?"
They removed that line for legal reasons. They could have been attacked on this, even in the past, "being evil" is too vague and subject to interpretation.
Slashdot, fix the reply notifications... You won't get away with it...
I have a domainname. Why would I be forced to use https://toaster.example.com/ when I browse to my Linux toaster, when just typing 'toaster'?
It is in no way connected to the internet.
Or try the domain hackme.houghi.org and see how that is connected. Excluding local IP addresses should be standard.
Don't fight for your country, if your country does not fight for you.
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Bad example. The conditions under which credit card entry is allowed is already incredibly strictly enforced, which includes not just the use of strong SSL ciphers, but also the handoff conditions. Requiring non related sites to use SSL does absolutely nothing here. The chance of MitM or government interference for a normal blog/image site is vanishingly small, for which you are being asked to give up your freedom. This isn't about your security, or the other ends security, this is all about requiring people to have identity papers on the internet. Google couldn't be more evil at this stage if they tried.
Even if the site is mundane and harmless, it can still be used to perform mitm attacks against the client.
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If it's your internal network you can just create your own cert and add it to your local machine(s). That's how it's supposed to work.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Actually Firefox is the same. Mozilla have been pushing for this change too.
And Google is somewhat ahead of the curve regarding CAs and security. They know the limitations, that's why Chrome now doesn't display information from enhanced certs. Google knows they are worthless and don't identify the owner of a site reliably, do they don't display them in a little green box next to the address bar any more.
It's actually pissing off a lot of CAs. Now that Let's Encrypt offers basic certs for free, and there is no real difference between basic certs and enhanced certs, they don't have anything to sell.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Why can't banks have other financial institutions sign their certs? Why can't Google, Facebook, Apple et al, hold a key signing party? Why can't lawyers get their certs signed by their bar association? Why can't government websites have certs signed by their governments, which in turn might be signed by other governments?
It doesn't stop CAs from being signatories too if somebody pays $$$ for them to do it. But when ONLY CAs are allowed to sign certs, the security of sites is brittle and expensive. And often the signature is worthless other than it makes some scary box go away on the browser.
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
That is general idea. No more anonymous sites not tied (by https cert) to physical person or entity. ... ...
We want to know who is publishing so we can sue or arrest that person or entity
We do have lawyers/cops on retainer they have not
None of the still-accepted certificates are any better.
Citation Required. The system has a set of rules that are followed. The remainder of the still accepted certificates have been shown to be issued in good faith, which makes them better than those issued in bad faith.
The CA system is fundamentally broken and what Google does here is not doing anything for security.
By punishing people who don't live by the rules the system is self regulating. Google not doing anything would undermine / break the CA system which otherwise is working just fine.
It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
I would call this horseshit, but to be honest that's an insult to horseshit.
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
That's bad op-sec. Any and all metadata that can be collected about you is dangerous, even if it seems trivial now. Everything should be encrypted by default, you should need a really really good reason to use plaintext.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware. Some ISPs have injected their own ads and tracking headers.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Why is this relevant in a discussion about a public site?
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
No one is sure about what the GP was talking about. To quote a really shit movie: "Amazing. Everything you just said was wrong."
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt
To you? No. Sounds like you're not in the position for being persecuted for a thought crime. I however would recomment against browsing innocent text in some coutries, certainly not anarchists_cookbook_v1.0.txt.
And that's just it. It's not up to the content creator to determine if the viewer needs the expectation of privacy when viewing the content.
The browser belongs to the user. If he wants to see the site he should be able to do so regardless of what some google security "expert" thinks is appropriate. However the "I don't care if the cert is bad, just show me the damn site NOW!" option seems to be disappearing in browsers or if its still there you have to click through half a dozen patronising Are you sure? links first.
How EXACTLY is some spook knowing I like ancient arches "dangerous" to me? Cuz I really want to hear this, it ought to be some grade A logic hoop jumping. What are they gonna do, point at me and scream "NEERRRRDDD!"? OMG, the NSA knows I like old CPUs and bad 70s and 80s TV, why my life is ruined!...Oh wait everybody already knows that.
And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses (thx Comodo DNS, you work great) and I can literally push one button and have it restored to a previous state, oh and now everything but my gaming box is running Zorin OS and the only thing the gaming box has is Steam so...yeah GLWT.
Meanwhile many of the old sites I go to haven't changed in 20 years, haven't gotten any malware in said 20 years, hell they don't even support the level of Javascript required to spread modern browser based junk so...yeah I smell security karaoke. Oh and 1 final note...considering GOOG got its start up funding in part from the NSA? Frankly I trust anything GOOG does about as far as I can throw their server farm, 5 will get you 10 there is some way in this that will let them increase their spying, because lets face it that is all they've really been up to the past few years, seeing how much data they can slurp and resell.
ACs don't waste your time replying, your posts are never seen by me.
Uhhh just looked at the latest figures and Apple's share is...11.9%, in fact according to Motley Fool they have been losing share worldwide for more than 6 months. Their market cap is so good frankly because they sell last year's tech at next years prices which gives them a hell of a profit margin.
And honestly the USA is a teeny tiny slice of the worldwide pie, with countries like BRIC making the USA look like small potatoes and its in those markets of tomorrow that GOOG is setting up a stranglehold that frankly MSFT of the 90s wishes it had. Its ironic too as they are using the same tactics MSFT did in the 90s with nasty contracts requiring the bundling of GAPPs and hiding more and more behind the Playwall thus making it harder and harder to have a functioning system without connecting it to GOOG.
So I'm not really worried about APPL, they like their profit margins too much to give up their high end niche status to go mainstream globally while GOOG is much more nerfarious in that they don't want your money, YOU are the product they intend to sell. So...yeah maybe about time for a good old antitrust, although frankly we'd have better luck with the EU as the DoJ has been toothless in the USA for the better part of a decade now.
ACs don't waste your time replying, your posts are never seen by me.
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt
Yeah, and I'm sure you're happy to install their trojan on your machine and giving it write access to your cert store so it can keep replacing the cert because they're too stubborn to issue certificates that last a year!
== Jez ==
Do you miss Firefox? Try Pale Moon.
Having a proper cert does not stop delivery of malware from a website. It WILL certify SSL delivery of the malware to your browser. Shill much?
What ever happened to "don't be evil?"
They removed that line for legal reasons. They could have been attacked on this, even in the past, "being evil" is too vague and subject to interpretation.
Occam's Razor tells me Google simply wanted to do evil.
Dragonfly confirmed it.
Although I agree with you that the CA stuff is a hindrance, the fact that non-https websites can be modified on the fly by hosts they pass through on the network is a problem too.
If you don't like the current system of certificate authorities and certificate transparency (which google championed), please tell me a better way for me to trust a site on the internet?
CAs are now audited and the auditing is getting much better. With certificate transparency I can check, near real time, every EV cert a CA issues. If they issue one in secret there is a high probability they will be caught.
Symantic should have been dropped a while ago, as they proved to be untrusted. They were just too big to drop immediately. (disclaimer. I worked for Entrust)
The API is documented. There are lots of clients available, and it's not very hard to write your own.
You've already lost more time confirming that using http to access ancient CPU designs is fine than you would have lost by using https instead of http. Just use https everywhere and you save time by not having to think about it.
> > Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
> Except that nobody has come up with a better way
The better way is called "certificate pinning" and it works just the way the GP described. Your browser won't accept a Symantec certificate for Google.com because it knows Google gets its certificates from a different CA.
Certificate pinning is opt-in for web sites, sites can decide if they want their certificate pinned, because they may want to change CAs in the future.
This move by Google is purely political.
It has everything to do with Symantec and Blue Coat merging. The fear being that certs would be issued to Blue Coat devices allowing them to MitM traffic.
Security Karaoke
Nice. Stolen.
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
How EXACTLY is some spook knowing I like ancient arches "dangerous" to me?
Because some people will base passwords around stuff like that, or it can be used to craft highly tailored phishing attacks.
Probably it will not matter but it costs nothing in practical terms to live like it does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
I think you meant to say "captive portal systems break HTTPS sites, along with every other non-HTTP protocol".
Anyway, there has been a standard workaround in place for this problem for a while now. Devices detect captive portals by querying a well-known URL over HTTP; if they get an unexpected response they prompt the user to sign in to the network.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
That motto was officially dropped when Alphabet became the official parent of Google in 2015:
http://time.com/4060575/alphabet-google-dont-be-evil/
However, per the linked article they did replace it with a "positive" formulation for their code of conduct:
"
“Employees of Alphabet and its subsidiaries and controlled affiliates should do the right thing—follow the law, act honorably, and treat each other with respect,” the new code reads, noticeably dropping the famous motto.
"
Maybe a few things not covered leave some scope creep for "evil" such as being sneaky and obfuscating how user data are monetized, licensed, and shared?
R O
Nonsensical argument. If you want anonymous site to get closer to that you would buy/get third party hosting, not run it on your own IP. There are legitimate reasons you want to be anonymous maybe just to express an unpopular political opinion safely. If you get third party hosting, the cert and IP used is that provided by the hosting provider. IPs are not private so running an anonymous site on your IP is not private anyway, so the argument against not getting a cert is nonsense. If you dont want to get an official cert, self sign instead. Your still better off than with nothing.
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2?
It's not about knowing what you read. It's about what they can do with the plain-text that is sent over the wire.
The NSA had an attack called "Quantum Insert" where they could inject malicious code into the HTTP reply to attach your browser. This is how they attacked employees of the Belgian telecom Belgacom and against workers at OPEC:
* https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/
* https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
It may look like "only .txt and .jpg images", but those images could have been injected with a zero-day.
Secondly, if all traffic is encrypted, they can no longer do wholesale surveillance by simply 'tapping glass'. If only the "important" things are encrypted, then over watchers will only focus on those folks encrypting traffic. If everything, even innocuous surfing, is encrypted, then it is harder to do traffic analysis: it is much harder to focus on "everything", and so it will encourage the powers that be to perhaps focus on the high risk individuals and leave the rest of us alone.
And as far as a MITM? I have my browser locked down with [...]
Good for you. Is your mom, dad, siblings, aunts, uncles, cousins, etc., all as awesome as you at OpSec?
There are several hundred million / few billion people online, and Google's actions are also about protecting the great unwashed security masses. It's not (just) about you.
back to firefox! About 45 other people I know as well are all moving back to Firefox as well. If they tell all their friends and they tell all their friends, hopefully chrome just dies. That useless piece of shit chrome is.
What is the US Military has not stayed within the bounds and scope of our national borders four years US military is out of control. We have no claim to influence on events in the rest of the world. Every Act of military force by the usa, outside our borders is an act of undue aggression upon territories which we do not and should not have any legitimate opinion or interference with. U. S. Military is a bully because when it comes time to back the fuck off cuz it's not US Territory they continually trespass and murder natives within their own countries
Your arugments dont make sense. First of all Symantec was revoked because they were behaving much worse than any other CA. Basically, someone told Symantec, "I own this domain, give me a cert for it". And Symantec said, "okay, here you go", performing no real verification. Good CAs do not act that way. If you ask a cert from lets encrypt, at least Lets Encrypt calls the domain name and asks, "hey, did you make this certificate request" and if the site at the domain says "nope, I didnt", the cert request is denied. Symantec was not performing this most basic level of verification.
Some security is better than none at all, even with the imperfections. Also "all sites don't need it" is also just flat out wrong. Someone could insert a trick link to an EXE in a site, even though the site seems harmless. You just dont want people messing with data in transit, TLS at least makes it a little bit harder to do that. the way you have it, you are making it as easy as it can be.
I have put a free (and worthless) "let's encrypt" cert on my page to get around this problem.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You think certificates prevent state-actor MITM in actual reality? They do not and have not for at least a decade.
The CA system was a somewhat reasonable idea with a horrible execution and utter naivety on side of its architects. It is broken and cannot be fixed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Spot-on. They even try to "fix" TCP, apparently completely unaware that lots of really smart people have failed to do so before them. Not good. They are a Dunning-Kruger company by now.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. A https-connection is very much _not_ a VPN tunnel, even if naive people may think so.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
uh, it's real simple. Google still provides search results via http. Not a lot there that's hard to understand. Try loading in a different browser and don't add the s after http. Not trying to be snarky, but it's not like it's hard to test on your own.
You are lazy and uneducated. Find your own citations, the relevant research has been around for at least a decade.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2?
You may not care if someone knows you're looking at that site, but you should care that you only recieve .txt and .jpg of ancient CPUs. Without https, a man-in-the-middle can inject whatever they want into the data, and hijack your system. Not a good thing.
Basically, it's the same reason that Linux vendors use crypto on their packages. Except they just use signatures rather than encrypting the actual data--but nothing in the w3c standards supports just using signatures, so full encryption is the only available solution.
So, no. I don't care how old and static and simple your site is. You should be using https for the safety of your users.
(And no, it doesn't help Google collect data. It does, however, reduce the number of DDoSes and the amount of clickfraud they experience from pwned systems.)
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
For that matter, why the heck would you do HTTPS on internal LAN? Wasting CPU cycles on something that shouldn't even be accessible from the outside world at all. Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses
First of all, none of that helps with a MITM attack which modifies the data coming to your system. It may help if the only thing injected is a url where the malware is located, but it doesn't help one bit if the malware is injected directly. The whole point of a MITM attack is that the data seems to be coming from the main host you're connected to.
Second, even if those were effective protection, they're only used by a tiny percentage of the population, and that's unlikely to change anytime soon. So the fact that your system wouldn't become part of a hostile botnet (if your protections were effective, which, again, they're not) doesn't mean that hostile botnets would become less common.
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
You say this as if Google de-trusting this CA in October is a Google choice.
FireFox limited trust for this CA back in May already, and will be revoking it in October as well.
May 2018 (Firefox 60): Websites will show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.
October 2018 (Firefox 63): Removal/distrust of Symantec roots, with caveats described below.
Only Microsoft hasn't announced intent to do so for IE/Edge, in violation of the certificate authority standards I might add.
There are clear rules CAs must follow and they are not ignorant of this.
Symantec knew full well they would have all of their CA certs revoked from all web browsers the second they sold wildcard certificates for traffic interception systems.
This is no ones doing other than Symantec.
Short version is it's impossible to have end-to-end security without protocol help. It's in part why intercepting proxies work - you're connected to something that presents the certificate you expect, doesn't mean it's the host. It's also why finding such proxies is childs play. Yes you little shitheads @Sandvine and Bluecoat, I know what networks you "power".
Certificate Pinning (AKA HSTS, or the various other means sites can use to report SSL certs used), do no such thing. Why? Because the "lists" are impossible to maintain and quite frankly I want nothing to do withi 99.9% of the sites listed. They also make security weaker overall since there are very real reasons for wanting to MITM yourself. That happened the day they made it impossible to override HSTS.
What should happen is companies get used to people asking to verify their SSL fingerprint. It's pretty sad to see even tech departments have NFI what the fingerprint is, how to find it or even basic security skills. A certificate change SHOULD be something the end user is made aware of, it puts the burden back on companies to secure their fucking infrastructures and take security seriously. One excellent tool for this was Certificate Patrol. Why things like that aren't part of browsers by default I have no idea.... part of dumbing down everyone I guess.
https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
For that matter, why the heck would you do HTTPS on internal LAN?
Because a growing number of JavaScript APIs specify that they are available on HTTPS origins and http://localhost/ only, and nowhere else. One such API that is both limited to secure contexts and relevant to streaming a video from a home NAS is the Presentation API.
Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
Not all client machines make it practical to install a private root certificate, particularly mobile devices or set-top devices. Nor is it advisable to install a private root certificate on devices belonging to visiting friends and relatives if they want to watch a video that's on your NAS.
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
Say you invite a friend or relative into your house and then invite him or her onto your guest network to view a video on your NAS. Is it typical in that case to install your root certificate on his or her machine? Because if so, that would let you MITM his or her traffic later on.
Please see my reply to Bert64, who suggested the same thing.
HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker
What a misleading paragraph!
HTTPS prevents men in the middle attacks, if the site you are reaching has been compromised and the code changed, https will not have any clue!!!
Except that certificate pinning is being deprecated in Chrome:
Certification Authority Authorization (CAA) seems to be the replacement for preventing misissuance.
Its all political at this point. How many times did COMODO screw up and they are still Trusted. Lets not talk about LetsEncrypt which passes out DV validated certs and does not even check there is some kind of payment method tied to them. Stupid
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
why the heck would you do HTTPS on internal LAN?
So that the device that your kid/S.O./friend/roommate/etc uses doesn't MITM you. So that someone doesn't do a drive by, hijack their way onto your wifi network, and sniff various credentials while you access your printer/router/iot-device/etc. So that all the awkward devices we're introducing to our homes (TV's, connected cameras, tablets, thermostats, lights, etc), which may rarely get patched, don't start sniffing your stuff after the're hacked.
Create your own local CA and sign some certs for those, and you're all set.
That does raise the question: where's the easy to use home appliance that mom and pop can plug in and use as their personal CA?
Or try the domain hackme.houghi.org and see how that is connected. Excluding local IP addresses should be standard.
Exactly this. More specifically, IANA defines 3 private subnets for internal use:
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms. Would that really be so hard??? IE doesn't even tell you when they've decided to block a page due to a TLS issue - you just get a generic "Page can't be displayed" error. Good luck figuring out why. A recent update started blocking some Internal sites, so on a guess I decided to upgrade the SSL cert (it was valid, but still using the old SHA1). That fixed it, but IE would not tell me why.
This crap has to end. Yea, maybe I want in-motion encryption for my internal network, just to make sure there are no plain-text credentials exposed on the wire. That's cheap and easy with self-signed or internal CA techniques. AP5.floor2.local isn't on the Internet, that IP isn't publicly routable, and that wiring closet is still locked. WTF are you questioning my certificate?
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
It's probably viewable. But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Thanks for the reminder. I had seen that before but forgot.
You are correct, it is slated foe removal after it is replaced with Certification Authority Authorization and Expect Certificate Transparency. High risk sites such as banks can implement both pinning and Expect-CT, along with HSTS, to be protected both now and in the future.
Before implementing pinning, one should consider the potential problems that can occur if you lose your key and make darn sure there is a secured off-site backup of the key.
Some ISPs have injected their own ads and tracking headers.
Ding ding! That's the real reason Google is promoting this crappy https everywhere propaganda. To get rid of any and all competition.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware.
TLS is NOT going to stop that. Google's blacklist is what stops that. And, sites serving malware can be detected MORE QUICKLY if they are not encrypted.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms.
Cool, so when I'm at a coffee shop, and someone hijacks the DNS and redirects my bank's site to 192.168.0.3, doing a MITM with a self-signed cert, that should be accepted by the browser? It's OK because it's a private subnet!
.
Google had fucked me over a few times in the last 18 months I've had enough
Apple owns almost half the mobile phone market in the US
Uhhh just looked at the latest figures and Apple's share is...11.9%
40% of shipments in 2018 Q2
53.7% based on browser data (?)
.
That's great, but none of that will stop a MITM attack.
You are not alone. This is not normal. None of this is normal.
Because my router was made in China and I'm fairly confident it sends surveillance data about everything I do back to the mother ship. I accept the Chinese router because I encrypt my local traffic.
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms.
Cool, so when I'm at a coffee shop, and someone hijacks the DNS and redirects my bank's site to 192.168.0.3, doing a MITM with a self-signed cert, that should be accepted by the browser? It's OK because it's a private subnet!
If you think these browser "features" can protect your data from capture when you're on a public wifi connection, I've got some bad news for you...
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Yes, it is. SSL is as much about authenticating a site as it is about preventing the conversation from being listened to. That's why you get warnings for invalid certificates - the entire point of the warning is that the browser can no longer be confident that there isn't a MITM. It's also why Google is deprecating this CA, because Google can not be confident there's no MITM for certificates the CA in question has signed.
The only ways to perform a MITM trick with an SSL site are:
1. Steal the target website's certificate.
2. Somehow hack the victim's computer and install a fake CA on it.
3. Use a dubious CA to sign a fake cert.
And this article is an example of web browser makers preventing (3) from happening.
You are not alone. This is not normal. None of this is normal.
Or, just use one of many numerous exploits to install malware on the real site. It's a lot easier. It's not going to prevent you from getting malware. Sure, it may stop one of these specific MITM attacks, but they aren't really very common anyway, are they?
The really easy way is to set up a real site with a real cert and start advertising on Instagram. You can push out a lot of malware that way.
This is just security karaoke (yea, I stole it).
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Specifically, it is not possible to do on Android N or later unless you compile the web browser yourself or at least decompile, edit, and recompile the apk.
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
TLS itself as well as browser enforcement are designed to protect against the same kind of threats on your home network as on public WiFi. It's assumed that the network link can be monitored and modified at will, so there shouldn't be a difference.
My point is weakening those restrictions for "private" subnets will have much greater consequences than just your home network, and doing that because a power user can't or won't use a FQDN to access an internal network resource will have a much larger impact on regular users elsewhere.
.
The websites are not broken just because Google does not like who issued their certificate. Its Chrome that is broken, and it always has been from a security standpoint! Google uses Chrome to collect user info and track user's web usage, just like any Android phone does! Sorry, Google has proven to me that they can't be trusted any more than Micro$haft can!!!
Not on Android N, unless you either only use the default browser or are willing to compile said apps (firefox, kodi, etc) yourself or decompile the apk, edit it, and then recompile it yourself.
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
You are lazy and uneducated. Find your own citations, the relevant research has been around for at least a decade.
Are you serious?
The point of the certificate is to ensure that you are talking to who you think you're talking to, that no one intercepted the message in transmission.
If a cert has been compromised and anyone can pretend to be that entity, then that breaks the system. Google is refusing to validate certificates that have been stolen. Therefore, google chrome will be the only browser where HTTPS proves your data hasn't been hijacked in transmission.
It's pretty damn simple. If anyone is lazy and uneducated it's you. Just get on wikipedia and learn how https works.
Again, that is not possible on Android N or later unless the app specifically opts in which most won't including most browsers and media players. That means either compiling everything yourself (if possible) or decompling the apk, manually editing it, then recompiling it both of which are far more complex than simply generating and using a self signed cert or ca.
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
TLS itself as well as browser enforcement are designed to protect against the same kind of threats on your home network as on public WiFi. It's assumed that the network link can be monitored and modified at will, so there shouldn't be a difference. My point is weakening those restrictions for "private" subnets will have much greater consequences than just your home network, and doing that because a power user can't or won't use a FQDN to access an internal network resource will have a much larger impact on regular users elsewhere.
That should by my call, not some faceless corporations' focused on their bottom line.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
You don't, but going to change a setting on your printer at http://192.168.1.5/printer-conf.html in Chrome is going to get you "ERROR! EVIL HACKERS ARE TRYING TO KICK YOUR DOG!"
Do you expect your grandmother to add a certificate to her browser store because she bought a new shiny wifi printer?
12.1% of new smartphone sales for 2018 QC
I'm not sure what % of shipments measures or whether it's better than the link I quoted, but the available statistics diverge rather ... sharply.
Stupid indeed. And from a security point-of-view, almost worthless.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Can't say I disagree.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I thought the network security config in the Google Chrome and Mozilla Firefox APKs was set to opt in to user certificates.
Why is this relevant in a discussion about a public site?
It is intended as a reminder that not all sites are public, and not all parties involved in this policy change have adequately addressed the effect of this policy change on private sites.
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
A browser doesn't "happily show[] unencrypted communication" if it involves a JavaScript API that is reserved for secure contexts.
I did several searches on Google and couldn't find anything.
What are good terms to use?
As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
That wouldn't go to well in a court.
You're the one who seems lazy.
Ad hominem attacks don't help, I only used the lazy word because you did.
P.S. I wasn't reading the comments too carefully and may agree with you , I just noticed your way of saying it.
It's actually possible I was wrong but even if I am your comment still seems off.
Why don't you guys have friends or journals?
Don't use that Javascript API then. Seriously 99.99% of users will be completely affected by this. The use of secure_contexts is basically non-existant.
This will mostly affect developers. You know, the kinds of people who are capable of setting up a CA to self sign certs and add their root certificate of their dev machine to their browser anyway.
But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.
Oooooooh scary, some text in a banner advert. ... But are you providing a secure sevice?
I will straight up say bullshit. Users haven't been scared by "Not Secure" text ever. It's been an uphill battle to prevent people from simply handing over their CC information in such pages.
Wouldn't it rather break Chrome not the sites? Sites will keep being there unchanged but the Chrome users will get shafted by imposed semi-security.
You are lazy and uneducated. Find your own citations
Educate me. I want to learn, but if you're going to make extraordinary claims then you best be able to back them up.
There's plenty of evidence that has been around for a decade, and that is evidence that shows misbehaviour of the CA process is appropriately punished and frequently able to sink entire certificate authorities. The system is working as designed.
Don't use that Javascript API then.
If you treat secure context gated APIs as if they do not exist, then your NAS's HTTP interface won't be able to use the Presentation API, which allows streaming videos stored on the NAS to second screen devices such as a Chromecast. Nor will your NAS be able to include an app that allows offline editing with sync once you return home, as Service Workers are for secure contexts only. There are even hints that the Fullscreen API itself will be made for secure contexts only in order to plug a phishing vulnerability.
You know, the kinds of people who are capable of setting up a CA to self sign certs and add their root certificate of their dev machine to their browser anyway.
A manufacturer of a network appliance containing a web server, such as a router or NAS, would need to automate the provision of a domain name and certificate to each person who buys such an appliance. A developer who makes a web application available for download and installation on a user-owned single-board computer, such as a Raspberry Pi, would need to automate the provision of a domain name and certificate to each person who installs said web application.
They might not be, but if they are confronted with a world where poor behavior actually has consequences, they might become so.
This is not an extraordinary claim at all.
Try google(Certificate system broken), for example, gives you lots of hits.
Here you can see a reputed expert not even commenting on why the system is broken, because everybody knows it:
https://www.schneier.com/blog/...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I did several searches on Google and couldn't find anything.
Try "certificate system broken", maybe? You Google-Fu seems very weak....
As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
That wouldn't go to well in a court.
You are badly wrong. This is not an "accusation", it is a statement of fact and the fact is well established. You would not require a proof or reference that water is wet, would you? As to court: That is a collection of non-experts. What they do is pull in an expert (or several) and then believe what they say.
Here is a reputed expert that does not even think he needs any explanation when stating the fact (and he is right):
https://www.schneier.com/blog/...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You are arrogant, lazy and uneducated and, on top of that, out of contact with reality. The CA system is broken. It does not give you any assurances anymore because it is utterly compromised.
Incidentally, I learned how the CA system works around 30 years ago and at that time, there was some expectation that it could actually work. These have proven to be overly optimistic as greed, stupidity and arrogance has made it very simple to get compromised certificates (even EV ones). You can even buy them as a service: https://www.deepdotweb.com/201...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's probably worldwide market share, where Pinky's Brain (#57449228) was talking about US market share, as I quoted.
.
What you gain with HTTPS in that case is confidence that the data has not been changed en route.
You could get that with a digital signature, but encryption isn't much more work and gives you privacy in addition to data integrity (that is, the data is the same as when it was sent, not that it is correct).
This might not mean much to you, but it is a thing that you gain.
One group of asshole corporate-feudalists are saying another group of asshole corporete-feudalists aren't trustworthy? Well, did it ever occur to folks that the whole system SSL established is based on one group of bean counting weasels telling other weasels about "trust". Mother fucking corporations shouldn't be even allowed to utter or write the word "trust". There is nobody I trust less, and their mewling about "Hey, they aren't trustworthy!" means four fifths of five-eighths of fuck all to me. The whole system of trust in SSL is fucking BROKEN. I don't trust any CA to do proper due-dilligence. They are all cheap and don't do a good job (as someone who has done an awful lot of CSRs). They don't even do an adequate job. Crowd sourcing trust from someone other than a corporate jackbooted firm like Verisign/Symantec would be welcome.
then your NAS's HTTP interface won't be able to use the Presentation API, which allows streaming videos stored on the NAS to second screen devices such as a Chromecast
Good. Users need to be protected from themselves. Seriously, you need a web based javascript API to stream content? Who the hell designed your NAS.
Nor will your NAS be able to include an app
Apps? Since when does Chrome's implmementation of the API matter for apps? Or do I need to question who designed the damn app too?
A manufacturer of a network appliance containing a web server...
Should have not problems working around the manufactured examples you gave. I think you'll find most fully functional and capable devices pre-date all your fancy Javascript APIs. If anything it may resolve this stupid obsession with "have API, must write code" that seems to infect so much software these days.
Thanks for pointing out that example.
It's two sentences long but it shows a lot. It shows that experts don't comment on things or backup their claims, while appealing to authority (a logical fallacy).
It also shows how experts can be very wrong citing a case of a "broken" system where a CA did something shady and instantly had their trust certificate revoked.
i.e. System worked as intended. CAs punshied, users are secure.
Can you provide examples for your side of the arguement two, or are you only going to provide good examples for my side? Quite frankly you're helping me a lot here. If you don't realise this then maybe you should watch who you call uneducated.
However I don't think you're this stupid. You're just trolling.
Seriously, you need a web based javascript API to stream content? Who the hell designed your NAS.
When a web browser's video controls are inadequate, then yes, you need a player script to present controls that let the user send a video into the full screen or onto a second screen.
Apps? Since when does Chrome's implmementation of the API matter for apps?
I didn't mean "app" as in native application; I meant "app" as in web application. Chrome's implementation of an API designed for web applications obviously matters to developers of web applications.
Feel free as I believe in free as in freedom so all my comments? Are licensed under BSD so do as you will and HAND!
ACs don't waste your time replying, your posts are never seen by me.
Yay! We should make "Security Karaoke" the new definition of beyond useless "security" beyond security theater, after all you CAN have good theater....ever seen good karaoke in a bar on any given night? I know it makes me think of some drunken barmaid trying to sing Crazy by Patsy Kline and butchering that high note so bad it sounds like a kitten in a blender!
So forget Security Theater, when security ideas get THIS stupid? There really is only one description...Security Karaoke!
ACs don't waste your time replying, your posts are never seen by me.