Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com)

Posted by BeauHD on from the heads-up dept.

When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.

HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.

8 of 177 comments (clear)

  1. Re:This not about security, because it does not he by thoughtlover · · Score: 4, Insightful

    ...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>

    A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.

    FF FTW, but even they're getting wonky. Pale Moon??

    --
    No sig for you! Come back one year!
  2. Re:This not about security, because it does not he by tepples · · Score: 5, Insightful

    Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.

    I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?

  3. Re:This not about security, because it does not he by msauve · · Score: 3, Insightful

    Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  4. It eliminates Blue Coat by Anonymous Coward · · Score: 5, Insightful

    I sort of semi-agree. But...

    Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.

    https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/

    Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.

    This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.

    This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.

    So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".

  5. Re:This not about security, because it does not he by hairyfeet · · Score: 4, Insightful

    Not just that but the whole "HTTPS equals security" is a fundamentally flawed concept because not only as you point out the CA system is a mess but there are so damned many sites where it makes ZERO sense to have it encrypted in the first place!

    I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2? Or the bazillion other websites that again only serve static .txt and .jpg images that haven't be updated in forever (and probably won't be) that were made before the whole HTTPS kick? The only excuse I've heard is "it keeps "teh gubmint" from listening in"...but they are in the backbone so I really don't see that making a diddly dick of difference and do I REALLY need to give a shit if some damn spook knows I like looking at ancient tech on some website made when Geocities was a thing?

    Finally with the CAs seeming to get pwned at least a couple times a year I don't even know if this should count as security theater anymore, maybe security karaoke? As in "pretends to be security but is about as good as your average barmaid trying to sing Patsy Kline on karaoke night?". So unless this is a way for GOOG to slurp down more data than a drunk at a free mini-bar (which really wouldn't surprise me) I'm really not seeing a big selling point for any of this, hell especially not from GOOG who just got who knows how many users pwned with their GOOG+ fiasco...whats the upside of this whole mess again?

    --
    ACs don't waste your time replying, your posts are never seen by me.
  6. Re:This not about security, because it does not he by Anonymous Coward · · Score: 5, Insightful

    google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.

  7. Re:This not about security, because it does not he by The+MAZZTer · · Score: 4, Insightful

    A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.

    Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,

  8. Re:This not about security, because it does not he by Pinky's+Brain · · Score: 3, Insightful

    Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.

    Now I'd rather they support DANE, but even what they are doing now does improve matters.