Slashdot Mirror
Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com)
When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
... I'm going back to IE on my XP.
It little behooves the best of us to comment on the rest of us.
...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
FF FTW, but even they're getting wonky. Pale Moon??
No sig for you! Come back one year!
Google forcing "security" on people it has already stolen identities from.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.
I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Certificate issuance has become yet another excuse to indulge rent-seeking behaviors. Just burn it all down.
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
"National Security is the chief cause of national insecurity." - Celine's First Law
I sort of semi-agree. But...
Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.
https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.
This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.
This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.
So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
And if they don't they get what they deserve.
Squatty Potty
Not Squatty Potty!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Even if one cannot open a connection to the device from the Internet, the CA still has to be able to resolve the device's name through the Internet in order to issue a certificate. Otherwise, you're stuck using self-signed certificates, and some mobile and set-top devices reportedly don't let the user examine the fingerprint of a self-signed certificate that a device presents to ensure that it is the intended certificate.
Besides, there are plenty of legitimate reasons to access network-attached storage over the Internet. You might trust it more than Google Drive or Microsoft OneDrive, for instance, or the storage connected to your single-board server might be bigger than the 2 GB that Dropbox gives you.
What's so "rent-seeking" about, say, Let's Encrypt? It issues trusted domain-validated certificates without charge to just about anyone who owns a domain name.
Not just that but the whole "HTTPS equals security" is a fundamentally flawed concept because not only as you point out the CA system is a mess but there are so damned many sites where it makes ZERO sense to have it encrypted in the first place!
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2? Or the bazillion other websites that again only serve static .txt and .jpg images that haven't be updated in forever (and probably won't be) that were made before the whole HTTPS kick? The only excuse I've heard is "it keeps "teh gubmint" from listening in"...but they are in the backbone so I really don't see that making a diddly dick of difference and do I REALLY need to give a shit if some damn spook knows I like looking at ancient tech on some website made when Geocities was a thing?
Finally with the CAs seeming to get pwned at least a couple times a year I don't even know if this should count as security theater anymore, maybe security karaoke? As in "pretends to be security but is about as good as your average barmaid trying to sing Patsy Kline on karaoke night?". So unless this is a way for GOOG to slurp down more data than a drunk at a free mini-bar (which really wouldn't surprise me) I'm really not seeing a big selling point for any of this, hell especially not from GOOG who just got who knows how many users pwned with their GOOG+ fiasco...whats the upside of this whole mess again?
ACs don't waste your time replying, your posts are never seen by me.
Sounds EXACTLY what we had in the early 00s with IE...and we all remember what a clusterfuck that turned out to be. Protip: Having only ONE corp control the way sites are rendered on the net? Is a BAD THING because if its one thing we should all know by now is that ALL of these corps are run by sociopath douchenozzles that will happily tilt the scales to give themselves a bigger slice of the pie.
Maybe its about time we start talking about slamming GOOG with an antitrust and hopefully break them up? Because APPL and MSFT don't seem to have enough of the pie to be a real threat but with GOOG? Starting to look a little scary,little too much like MSFT of the late 90s.
ACs don't waste your time replying, your posts are never seen by me.
google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.
1 site in every 878 not working with a browser doesn't seem like much. Have things actually gotten that stable?
I don't think slashdot has been up 1/100th of the last year. Wasn't there an outage of several days less than a year ago?
Even Amazon has had significant outages this year. Netflix was down some. No site seems above having an outage. And even if they are, there are still many times a year that my own internet goes out - certainly more often than my electricity goes out.
The internet is not a stable, always up environment and likely never will be. Electricity distribution is over a century old and not yet stable. Water distribution is older than that and still goes out.
Why do people insist on making a big deal out of an outage for a tiny few irresponsible sites?
People will just route around the problem by using a different browser. On an XP machine at work the 'Chrome' browser refuses to upgrade past a certain point and throws a warning banner on the top of the screen. So I installed SeaMonkey. I use the old version of 'Chrome' solely for the gmail account on that system. So any browsing I do there is not logged-onto a google account.
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
A company wants to make the internet safe for its own ads.
Find a better browser.
Domestic spying is now "Benign Information Gathering"
Re "Imagine someone coming to your site is in a country where your content is illegal because thoughtcrime?"
Such governments will have fully upgraded to tech that can track all their nations users browser uses.
A VPN would be of more help than a browser.
Let the rest of the world enjoy the internet and "that" country can have its users discover the better security of a great VPN.
Domestic spying is now "Benign Information Gathering"
Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.
Now I'd rather they support DANE, but even what they are doing now does improve matters.
Apple owns almost half the mobile phone market in the US and probably over 3/4 of the ones owned by middle class and up consumers. They have just as much sway to force changes in CAs as Google, they are also distrusting Symantec BTW.
Let's hope that will help those people who bought hyper-expensive Verisign certs understand that for 1/10 of the price, they had a better working alternative.
Slashdot, fix the reply notifications... You won't get away with it...
Google changed the "don't be evil" line a while ago, it's now:
"Welcome to my underground lair."
There are two rules for success:
1. Never tell everything you know.
What ever happened to "don't be evil?"
They removed that line for legal reasons. They could have been attacked on this, even in the past, "being evil" is too vague and subject to interpretation.
Slashdot, fix the reply notifications... You won't get away with it...
I have a domainname. Why would I be forced to use https://toaster.example.com/ when I browse to my Linux toaster, when just typing 'toaster'?
It is in no way connected to the internet.
Or try the domain hackme.houghi.org and see how that is connected. Excluding local IP addresses should be standard.
Don't fight for your country, if your country does not fight for you.
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Even if the site is mundane and harmless, it can still be used to perform mitm attacks against the client.
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If it's your internal network you can just create your own cert and add it to your local machine(s). That's how it's supposed to work.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Actually Firefox is the same. Mozilla have been pushing for this change too.
And Google is somewhat ahead of the curve regarding CAs and security. They know the limitations, that's why Chrome now doesn't display information from enhanced certs. Google knows they are worthless and don't identify the owner of a site reliably, do they don't display them in a little green box next to the address bar any more.
It's actually pissing off a lot of CAs. Now that Let's Encrypt offers basic certs for free, and there is no real difference between basic certs and enhanced certs, they don't have anything to sell.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Why can't banks have other financial institutions sign their certs? Why can't Google, Facebook, Apple et al, hold a key signing party? Why can't lawyers get their certs signed by their bar association? Why can't government websites have certs signed by their governments, which in turn might be signed by other governments?
It doesn't stop CAs from being signatories too if somebody pays $$$ for them to do it. But when ONLY CAs are allowed to sign certs, the security of sites is brittle and expensive. And often the signature is worthless other than it makes some scary box go away on the browser.
None of the still-accepted certificates are any better.
Citation Required. The system has a set of rules that are followed. The remainder of the still accepted certificates have been shown to be issued in good faith, which makes them better than those issued in bad faith.
The CA system is fundamentally broken and what Google does here is not doing anything for security.
By punishing people who don't live by the rules the system is self regulating. Google not doing anything would undermine / break the CA system which otherwise is working just fine.
It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
I would call this horseshit, but to be honest that's an insult to horseshit.
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
That's bad op-sec. Any and all metadata that can be collected about you is dangerous, even if it seems trivial now. Everything should be encrypted by default, you should need a really really good reason to use plaintext.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware. Some ISPs have injected their own ads and tracking headers.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Why is this relevant in a discussion about a public site?
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
No one is sure about what the GP was talking about. To quote a really shit movie: "Amazing. Everything you just said was wrong."
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt
To you? No. Sounds like you're not in the position for being persecuted for a thought crime. I however would recomment against browsing innocent text in some coutries, certainly not anarchists_cookbook_v1.0.txt.
And that's just it. It's not up to the content creator to determine if the viewer needs the expectation of privacy when viewing the content.
The browser belongs to the user. If he wants to see the site he should be able to do so regardless of what some google security "expert" thinks is appropriate. However the "I don't care if the cert is bad, just show me the damn site NOW!" option seems to be disappearing in browsers or if its still there you have to click through half a dozen patronising Are you sure? links first.
How EXACTLY is some spook knowing I like ancient arches "dangerous" to me? Cuz I really want to hear this, it ought to be some grade A logic hoop jumping. What are they gonna do, point at me and scream "NEERRRRDDD!"? OMG, the NSA knows I like old CPUs and bad 70s and 80s TV, why my life is ruined!...Oh wait everybody already knows that.
And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses (thx Comodo DNS, you work great) and I can literally push one button and have it restored to a previous state, oh and now everything but my gaming box is running Zorin OS and the only thing the gaming box has is Steam so...yeah GLWT.
Meanwhile many of the old sites I go to haven't changed in 20 years, haven't gotten any malware in said 20 years, hell they don't even support the level of Javascript required to spread modern browser based junk so...yeah I smell security karaoke. Oh and 1 final note...considering GOOG got its start up funding in part from the NSA? Frankly I trust anything GOOG does about as far as I can throw their server farm, 5 will get you 10 there is some way in this that will let them increase their spying, because lets face it that is all they've really been up to the past few years, seeing how much data they can slurp and resell.
ACs don't waste your time replying, your posts are never seen by me.
Uhhh just looked at the latest figures and Apple's share is...11.9%, in fact according to Motley Fool they have been losing share worldwide for more than 6 months. Their market cap is so good frankly because they sell last year's tech at next years prices which gives them a hell of a profit margin.
And honestly the USA is a teeny tiny slice of the worldwide pie, with countries like BRIC making the USA look like small potatoes and its in those markets of tomorrow that GOOG is setting up a stranglehold that frankly MSFT of the 90s wishes it had. Its ironic too as they are using the same tactics MSFT did in the 90s with nasty contracts requiring the bundling of GAPPs and hiding more and more behind the Playwall thus making it harder and harder to have a functioning system without connecting it to GOOG.
So I'm not really worried about APPL, they like their profit margins too much to give up their high end niche status to go mainstream globally while GOOG is much more nerfarious in that they don't want your money, YOU are the product they intend to sell. So...yeah maybe about time for a good old antitrust, although frankly we'd have better luck with the EU as the DoJ has been toothless in the USA for the better part of a decade now.
ACs don't waste your time replying, your posts are never seen by me.
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt
Yeah, and I'm sure you're happy to install their trojan on your machine and giving it write access to your cert store so it can keep replacing the cert because they're too stubborn to issue certificates that last a year!
== Jez ==
Do you miss Firefox? Try Pale Moon.
If you don't like the current system of certificate authorities and certificate transparency (which google championed), please tell me a better way for me to trust a site on the internet?
CAs are now audited and the auditing is getting much better. With certificate transparency I can check, near real time, every EV cert a CA issues. If they issue one in secret there is a high probability they will be caught.
Symantic should have been dropped a while ago, as they proved to be untrusted. They were just too big to drop immediately. (disclaimer. I worked for Entrust)
> > Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
> Except that nobody has come up with a better way
The better way is called "certificate pinning" and it works just the way the GP described. Your browser won't accept a Symantec certificate for Google.com because it knows Google gets its certificates from a different CA.
Certificate pinning is opt-in for web sites, sites can decide if they want their certificate pinned, because they may want to change CAs in the future.
Security Karaoke
Nice. Stolen.
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
How EXACTLY is some spook knowing I like ancient arches "dangerous" to me?
Because some people will base passwords around stuff like that, or it can be used to craft highly tailored phishing attacks.
Probably it will not matter but it costs nothing in practical terms to live like it does.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
I think you meant to say "captive portal systems break HTTPS sites, along with every other non-HTTP protocol".
Anyway, there has been a standard workaround in place for this problem for a while now. Devices detect captive portals by querying a well-known URL over HTTP; if they get an unexpected response they prompt the user to sign in to the network.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
What is the US Military has not stayed within the bounds and scope of our national borders four years US military is out of control. We have no claim to influence on events in the rest of the world. Every Act of military force by the usa, outside our borders is an act of undue aggression upon territories which we do not and should not have any legitimate opinion or interference with. U. S. Military is a bully because when it comes time to back the fuck off cuz it's not US Territory they continually trespass and murder natives within their own countries
I have put a free (and worthless) "let's encrypt" cert on my page to get around this problem.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You think certificates prevent state-actor MITM in actual reality? They do not and have not for at least a decade.
The CA system was a somewhat reasonable idea with a horrible execution and utter naivety on side of its architects. It is broken and cannot be fixed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Spot-on. They even try to "fix" TCP, apparently completely unaware that lots of really smart people have failed to do so before them. Not good. They are a Dunning-Kruger company by now.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. A https-connection is very much _not_ a VPN tunnel, even if naive people may think so.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You are lazy and uneducated. Find your own citations, the relevant research has been around for at least a decade.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2?
You may not care if someone knows you're looking at that site, but you should care that you only recieve .txt and .jpg of ancient CPUs. Without https, a man-in-the-middle can inject whatever they want into the data, and hijack your system. Not a good thing.
Basically, it's the same reason that Linux vendors use crypto on their packages. Except they just use signatures rather than encrypting the actual data--but nothing in the w3c standards supports just using signatures, so full encryption is the only available solution.
So, no. I don't care how old and static and simple your site is. You should be using https for the safety of your users.
(And no, it doesn't help Google collect data. It does, however, reduce the number of DDoSes and the amount of clickfraud they experience from pwned systems.)
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
For that matter, why the heck would you do HTTPS on internal LAN? Wasting CPU cycles on something that shouldn't even be accessible from the outside world at all. Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses
First of all, none of that helps with a MITM attack which modifies the data coming to your system. It may help if the only thing injected is a url where the malware is located, but it doesn't help one bit if the malware is injected directly. The whole point of a MITM attack is that the data seems to be coming from the main host you're connected to.
Second, even if those were effective protection, they're only used by a tiny percentage of the population, and that's unlikely to change anytime soon. So the fact that your system wouldn't become part of a hostile botnet (if your protections were effective, which, again, they're not) doesn't mean that hostile botnets would become less common.
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
You say this as if Google de-trusting this CA in October is a Google choice.
FireFox limited trust for this CA back in May already, and will be revoking it in October as well.
May 2018 (Firefox 60): Websites will show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.
October 2018 (Firefox 63): Removal/distrust of Symantec roots, with caveats described below.
Only Microsoft hasn't announced intent to do so for IE/Edge, in violation of the certificate authority standards I might add.
There are clear rules CAs must follow and they are not ignorant of this.
Symantec knew full well they would have all of their CA certs revoked from all web browsers the second they sold wildcard certificates for traffic interception systems.
This is no ones doing other than Symantec.
For that matter, why the heck would you do HTTPS on internal LAN?
Because a growing number of JavaScript APIs specify that they are available on HTTPS origins and http://localhost/ only, and nowhere else. One such API that is both limited to secure contexts and relevant to streaming a video from a home NAS is the Presentation API.
Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
Not all client machines make it practical to install a private root certificate, particularly mobile devices or set-top devices. Nor is it advisable to install a private root certificate on devices belonging to visiting friends and relatives if they want to watch a video that's on your NAS.
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
Say you invite a friend or relative into your house and then invite him or her onto your guest network to view a video on your NAS. Is it typical in that case to install your root certificate on his or her machine? Because if so, that would let you MITM his or her traffic later on.
Please see my reply to Bert64, who suggested the same thing.
Except that certificate pinning is being deprecated in Chrome:
Certification Authority Authorization (CAA) seems to be the replacement for preventing misissuance.
Its all political at this point. How many times did COMODO screw up and they are still Trusted. Lets not talk about LetsEncrypt which passes out DV validated certs and does not even check there is some kind of payment method tied to them. Stupid
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Or try the domain hackme.houghi.org and see how that is connected. Excluding local IP addresses should be standard.
Exactly this. More specifically, IANA defines 3 private subnets for internal use:
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms. Would that really be so hard??? IE doesn't even tell you when they've decided to block a page due to a TLS issue - you just get a generic "Page can't be displayed" error. Good luck figuring out why. A recent update started blocking some Internal sites, so on a guess I decided to upgrade the SSL cert (it was valid, but still using the old SHA1). That fixed it, but IE would not tell me why.
This crap has to end. Yea, maybe I want in-motion encryption for my internal network, just to make sure there are no plain-text credentials exposed on the wire. That's cheap and easy with self-signed or internal CA techniques. AP5.floor2.local isn't on the Internet, that IP isn't publicly routable, and that wiring closet is still locked. WTF are you questioning my certificate?
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
It's probably viewable. But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Thanks for the reminder. I had seen that before but forgot.
You are correct, it is slated foe removal after it is replaced with Certification Authority Authorization and Expect Certificate Transparency. High risk sites such as banks can implement both pinning and Expect-CT, along with HSTS, to be protected both now and in the future.
Before implementing pinning, one should consider the potential problems that can occur if you lose your key and make darn sure there is a secured off-site backup of the key.
Some ISPs have injected their own ads and tracking headers.
Ding ding! That's the real reason Google is promoting this crappy https everywhere propaganda. To get rid of any and all competition.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware.
TLS is NOT going to stop that. Google's blacklist is what stops that. And, sites serving malware can be detected MORE QUICKLY if they are not encrypted.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms.
Cool, so when I'm at a coffee shop, and someone hijacks the DNS and redirects my bank's site to 192.168.0.3, doing a MITM with a self-signed cert, that should be accepted by the browser? It's OK because it's a private subnet!
.
Google had fucked me over a few times in the last 18 months I've had enough
Apple owns almost half the mobile phone market in the US
Uhhh just looked at the latest figures and Apple's share is...11.9%
40% of shipments in 2018 Q2
53.7% based on browser data (?)
.
That's great, but none of that will stop a MITM attack.
You are not alone. This is not normal. None of this is normal.
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms.
Cool, so when I'm at a coffee shop, and someone hijacks the DNS and redirects my bank's site to 192.168.0.3, doing a MITM with a self-signed cert, that should be accepted by the browser? It's OK because it's a private subnet!
If you think these browser "features" can protect your data from capture when you're on a public wifi connection, I've got some bad news for you...
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Yes, it is. SSL is as much about authenticating a site as it is about preventing the conversation from being listened to. That's why you get warnings for invalid certificates - the entire point of the warning is that the browser can no longer be confident that there isn't a MITM. It's also why Google is deprecating this CA, because Google can not be confident there's no MITM for certificates the CA in question has signed.
The only ways to perform a MITM trick with an SSL site are:
1. Steal the target website's certificate.
2. Somehow hack the victim's computer and install a fake CA on it.
3. Use a dubious CA to sign a fake cert.
And this article is an example of web browser makers preventing (3) from happening.
You are not alone. This is not normal. None of this is normal.
Or, just use one of many numerous exploits to install malware on the real site. It's a lot easier. It's not going to prevent you from getting malware. Sure, it may stop one of these specific MITM attacks, but they aren't really very common anyway, are they?
The really easy way is to set up a real site with a real cert and start advertising on Instagram. You can push out a lot of malware that way.
This is just security karaoke (yea, I stole it).
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
TLS itself as well as browser enforcement are designed to protect against the same kind of threats on your home network as on public WiFi. It's assumed that the network link can be monitored and modified at will, so there shouldn't be a difference.
My point is weakening those restrictions for "private" subnets will have much greater consequences than just your home network, and doing that because a power user can't or won't use a FQDN to access an internal network resource will have a much larger impact on regular users elsewhere.
.
TLS itself as well as browser enforcement are designed to protect against the same kind of threats on your home network as on public WiFi. It's assumed that the network link can be monitored and modified at will, so there shouldn't be a difference. My point is weakening those restrictions for "private" subnets will have much greater consequences than just your home network, and doing that because a power user can't or won't use a FQDN to access an internal network resource will have a much larger impact on regular users elsewhere.
That should by my call, not some faceless corporations' focused on their bottom line.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Stupid indeed. And from a security point-of-view, almost worthless.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Can't say I disagree.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I thought the network security config in the Google Chrome and Mozilla Firefox APKs was set to opt in to user certificates.
Why is this relevant in a discussion about a public site?
It is intended as a reminder that not all sites are public, and not all parties involved in this policy change have adequately addressed the effect of this policy change on private sites.
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
A browser doesn't "happily show[] unencrypted communication" if it involves a JavaScript API that is reserved for secure contexts.
I did several searches on Google and couldn't find anything.
What are good terms to use?
As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
That wouldn't go to well in a court.
You're the one who seems lazy.
Ad hominem attacks don't help, I only used the lazy word because you did.
P.S. I wasn't reading the comments too carefully and may agree with you , I just noticed your way of saying it.
It's actually possible I was wrong but even if I am your comment still seems off.
Why don't you guys have friends or journals?
Don't use that Javascript API then. Seriously 99.99% of users will be completely affected by this. The use of secure_contexts is basically non-existant.
This will mostly affect developers. You know, the kinds of people who are capable of setting up a CA to self sign certs and add their root certificate of their dev machine to their browser anyway.
But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.
Oooooooh scary, some text in a banner advert. ... But are you providing a secure sevice?
I will straight up say bullshit. Users haven't been scared by "Not Secure" text ever. It's been an uphill battle to prevent people from simply handing over their CC information in such pages.
You are lazy and uneducated. Find your own citations
Educate me. I want to learn, but if you're going to make extraordinary claims then you best be able to back them up.
There's plenty of evidence that has been around for a decade, and that is evidence that shows misbehaviour of the CA process is appropriately punished and frequently able to sink entire certificate authorities. The system is working as designed.
Don't use that Javascript API then.
If you treat secure context gated APIs as if they do not exist, then your NAS's HTTP interface won't be able to use the Presentation API, which allows streaming videos stored on the NAS to second screen devices such as a Chromecast. Nor will your NAS be able to include an app that allows offline editing with sync once you return home, as Service Workers are for secure contexts only. There are even hints that the Fullscreen API itself will be made for secure contexts only in order to plug a phishing vulnerability.
You know, the kinds of people who are capable of setting up a CA to self sign certs and add their root certificate of their dev machine to their browser anyway.
A manufacturer of a network appliance containing a web server, such as a router or NAS, would need to automate the provision of a domain name and certificate to each person who buys such an appliance. A developer who makes a web application available for download and installation on a user-owned single-board computer, such as a Raspberry Pi, would need to automate the provision of a domain name and certificate to each person who installs said web application.
This is not an extraordinary claim at all.
Try google(Certificate system broken), for example, gives you lots of hits.
Here you can see a reputed expert not even commenting on why the system is broken, because everybody knows it:
https://www.schneier.com/blog/...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I did several searches on Google and couldn't find anything.
Try "certificate system broken", maybe? You Google-Fu seems very weak....
As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
That wouldn't go to well in a court.
You are badly wrong. This is not an "accusation", it is a statement of fact and the fact is well established. You would not require a proof or reference that water is wet, would you? As to court: That is a collection of non-experts. What they do is pull in an expert (or several) and then believe what they say.
Here is a reputed expert that does not even think he needs any explanation when stating the fact (and he is right):
https://www.schneier.com/blog/...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You are arrogant, lazy and uneducated and, on top of that, out of contact with reality. The CA system is broken. It does not give you any assurances anymore because it is utterly compromised.
Incidentally, I learned how the CA system works around 30 years ago and at that time, there was some expectation that it could actually work. These have proven to be overly optimistic as greed, stupidity and arrogance has made it very simple to get compromised certificates (even EV ones). You can even buy them as a service: https://www.deepdotweb.com/201...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's probably worldwide market share, where Pinky's Brain (#57449228) was talking about US market share, as I quoted.
.
One group of asshole corporate-feudalists are saying another group of asshole corporete-feudalists aren't trustworthy? Well, did it ever occur to folks that the whole system SSL established is based on one group of bean counting weasels telling other weasels about "trust". Mother fucking corporations shouldn't be even allowed to utter or write the word "trust". There is nobody I trust less, and their mewling about "Hey, they aren't trustworthy!" means four fifths of five-eighths of fuck all to me. The whole system of trust in SSL is fucking BROKEN. I don't trust any CA to do proper due-dilligence. They are all cheap and don't do a good job (as someone who has done an awful lot of CSRs). They don't even do an adequate job. Crowd sourcing trust from someone other than a corporate jackbooted firm like Verisign/Symantec would be welcome.
then your NAS's HTTP interface won't be able to use the Presentation API, which allows streaming videos stored on the NAS to second screen devices such as a Chromecast
Good. Users need to be protected from themselves. Seriously, you need a web based javascript API to stream content? Who the hell designed your NAS.
Nor will your NAS be able to include an app
Apps? Since when does Chrome's implmementation of the API matter for apps? Or do I need to question who designed the damn app too?
A manufacturer of a network appliance containing a web server...
Should have not problems working around the manufactured examples you gave. I think you'll find most fully functional and capable devices pre-date all your fancy Javascript APIs. If anything it may resolve this stupid obsession with "have API, must write code" that seems to infect so much software these days.
Thanks for pointing out that example.
It's two sentences long but it shows a lot. It shows that experts don't comment on things or backup their claims, while appealing to authority (a logical fallacy).
It also shows how experts can be very wrong citing a case of a "broken" system where a CA did something shady and instantly had their trust certificate revoked.
i.e. System worked as intended. CAs punshied, users are secure.
Can you provide examples for your side of the arguement two, or are you only going to provide good examples for my side? Quite frankly you're helping me a lot here. If you don't realise this then maybe you should watch who you call uneducated.
However I don't think you're this stupid. You're just trolling.
Seriously, you need a web based javascript API to stream content? Who the hell designed your NAS.
When a web browser's video controls are inadequate, then yes, you need a player script to present controls that let the user send a video into the full screen or onto a second screen.
Apps? Since when does Chrome's implmementation of the API matter for apps?
I didn't mean "app" as in native application; I meant "app" as in web application. Chrome's implementation of an API designed for web applications obviously matters to developers of web applications.
Feel free as I believe in free as in freedom so all my comments? Are licensed under BSD so do as you will and HAND!
ACs don't waste your time replying, your posts are never seen by me.
Yay! We should make "Security Karaoke" the new definition of beyond useless "security" beyond security theater, after all you CAN have good theater....ever seen good karaoke in a bar on any given night? I know it makes me think of some drunken barmaid trying to sing Crazy by Patsy Kline and butchering that high note so bad it sounds like a kitten in a blender!
So forget Security Theater, when security ideas get THIS stupid? There really is only one description...Security Karaoke!
ACs don't waste your time replying, your posts are never seen by me.