Chrome 70's Upcoming Security Change Will Break Hundreds of Sites

When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.

HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.

Re:This not about security, because it does not he

[tepples]

Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.

I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?

It eliminates Blue Coat

I sort of semi-agree. But...

Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.

https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/

Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.

This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.

This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.

So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".

Re:This not about security, because it does not he

google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.

Don't be evil was changed

[bursch-X]

Google changed the "don't be evil" line a while ago, it's now:

"Welcome to my underground lair."