Slashdot Mirror
Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com)
When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
... I'm going back to IE on my XP.
It little behooves the best of us to comment on the rest of us.
...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
FF FTW, but even they're getting wonky. Pale Moon??
No sig for you! Come back one year!
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.
I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
"National Security is the chief cause of national insecurity." - Celine's First Law
I sort of semi-agree. But...
Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.
https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.
This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.
This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.
So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
Even if one cannot open a connection to the device from the Internet, the CA still has to be able to resolve the device's name through the Internet in order to issue a certificate. Otherwise, you're stuck using self-signed certificates, and some mobile and set-top devices reportedly don't let the user examine the fingerprint of a self-signed certificate that a device presents to ensure that it is the intended certificate.
Besides, there are plenty of legitimate reasons to access network-attached storage over the Internet. You might trust it more than Google Drive or Microsoft OneDrive, for instance, or the storage connected to your single-board server might be bigger than the 2 GB that Dropbox gives you.
What's so "rent-seeking" about, say, Let's Encrypt? It issues trusted domain-validated certificates without charge to just about anyone who owns a domain name.
Not just that but the whole "HTTPS equals security" is a fundamentally flawed concept because not only as you point out the CA system is a mess but there are so damned many sites where it makes ZERO sense to have it encrypted in the first place!
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2? Or the bazillion other websites that again only serve static .txt and .jpg images that haven't be updated in forever (and probably won't be) that were made before the whole HTTPS kick? The only excuse I've heard is "it keeps "teh gubmint" from listening in"...but they are in the backbone so I really don't see that making a diddly dick of difference and do I REALLY need to give a shit if some damn spook knows I like looking at ancient tech on some website made when Geocities was a thing?
Finally with the CAs seeming to get pwned at least a couple times a year I don't even know if this should count as security theater anymore, maybe security karaoke? As in "pretends to be security but is about as good as your average barmaid trying to sing Patsy Kline on karaoke night?". So unless this is a way for GOOG to slurp down more data than a drunk at a free mini-bar (which really wouldn't surprise me) I'm really not seeing a big selling point for any of this, hell especially not from GOOG who just got who knows how many users pwned with their GOOG+ fiasco...whats the upside of this whole mess again?
ACs don't waste your time replying, your posts are never seen by me.
google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
Re "Imagine someone coming to your site is in a country where your content is illegal because thoughtcrime?"
Such governments will have fully upgraded to tech that can track all their nations users browser uses.
A VPN would be of more help than a browser.
Let the rest of the world enjoy the internet and "that" country can have its users discover the better security of a great VPN.
Domestic spying is now "Benign Information Gathering"
Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.
Now I'd rather they support DANE, but even what they are doing now does improve matters.
Google changed the "don't be evil" line a while ago, it's now:
"Welcome to my underground lair."
There are two rules for success:
1. Never tell everything you know.
January + February + March == 90 days ; with a 75% probability.
Slashdot, fix the reply notifications... You won't get away with it...
Actually Firefox is the same. Mozilla have been pushing for this change too.
And Google is somewhat ahead of the curve regarding CAs and security. They know the limitations, that's why Chrome now doesn't display information from enhanced certs. Google knows they are worthless and don't identify the owner of a site reliably, do they don't display them in a little green box next to the address bar any more.
It's actually pissing off a lot of CAs. Now that Let's Encrypt offers basic certs for free, and there is no real difference between basic certs and enhanced certs, they don't have anything to sell.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Why can't banks have other financial institutions sign their certs? Why can't Google, Facebook, Apple et al, hold a key signing party? Why can't lawyers get their certs signed by their bar association? Why can't government websites have certs signed by their governments, which in turn might be signed by other governments?
It doesn't stop CAs from being signatories too if somebody pays $$$ for them to do it. But when ONLY CAs are allowed to sign certs, the security of sites is brittle and expensive. And often the signature is worthless other than it makes some scary box go away on the browser.
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
Because it's the tiny obscura sites these days that tend to hold unique or useful information. Ever since the internet went mainstream you've had to dig deeper and deeper to get uncensored data doesn't wrongfully imply that there isn't a way to do what you're trying to do. Civil disobedience is the last recourse against malignant rules and Order. is important the people free access to information so that they may make a law irrelevant, it is the last defense of freedom .the ability to disobey At will. If we lose that then we lose any chance at a life worth living.
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
You say this as if Google de-trusting this CA in October is a Google choice.
FireFox limited trust for this CA back in May already, and will be revoking it in October as well.
May 2018 (Firefox 60): Websites will show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.
October 2018 (Firefox 63): Removal/distrust of Symantec roots, with caveats described below.
Only Microsoft hasn't announced intent to do so for IE/Edge, in violation of the certificate authority standards I might add.
There are clear rules CAs must follow and they are not ignorant of this.
Symantec knew full well they would have all of their CA certs revoked from all web browsers the second they sold wildcard certificates for traffic interception systems.
This is no ones doing other than Symantec.