Chrome 70's Upcoming Security Change Will Break Hundreds of Sites

When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.

HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.

This not about security, because it does not help

[gweihir]

None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.

Re:This not about security, because it does not he

It's not about you. It's about the person viewing your site. Yes it does need a certificate. Imagine someone coming to your site is in a country where your content is illegal because thoughtcrime?
Or less extreme, imagine if someone were to MITM the traffic between your server and the client. They come to look at your stuff, but are instead served malware and since it's a man in the middle attack the customer and probably his/her AV believes it is your site doing the malware serving.

Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt. It's easy and it's free and the only excuse not to have one in today's day and age is that you are shill for the various TLAs that would love to get malware onto computers of people who come looking for your kind of content. The only question at this point is whether or not you are a willing shill.

Re:This not about security, because it does not he

[AmiMoJo]

Actually Firefox is the same. Mozilla have been pushing for this change too.

And Google is somewhat ahead of the curve regarding CAs and security. They know the limitations, that's why Chrome now doesn't display information from enhanced certs. Google knows they are worthless and don't identify the owner of a site reliably, do they don't display them in a little green box next to the address bar any more.

It's actually pissing off a lot of CAs. Now that Let's Encrypt offers basic certs for free, and there is no real difference between basic certs and enhanced certs, they don't have anything to sell.