Chrome to immediately stop recognizing EV status and gradually nullify all certs.
Read the whole story
Read the whole story
Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
- Thread starter JournalBot
- Start date
Hmm, the article seems like it needs another once over. The block quote by Symantec isn't properly closed.
Affect -> effect.
Seems like there's something missing here about the 30,000 certificates (like what the headline notes: mis-issued).
Affect -> effect.
Seems like there's something missing here about the 30,000 certificates (like what the headline notes: mis-issued).
Upvote
87
(94
/
-7)
What the hell Symantec?
30,000? And being all secretive about it? This would be 'purge them with flame' material if that wouldn't break half the internet more or less immediately...
30,000? And being all secretive about it? This would be 'purge them with flame' material if that wouldn't break half the internet more or less immediately...
Upvote
266
(266
/
0)
I don't think the action is out of proportion with the size of symantec's fuckup. This is exactly why the root CA system is fundamentally unworkable—it ultimately requires trusting that for-profit entities will act ethically in a situation where unethical behavior will bring in greater profit.
Upvote
481
(481
/
0)
If anything, Symantec is getting off easier than they deserve(though since holding them to account as hard as they deserve would be a bit of a showstopper, that's not a surprise).
If you can't put the 'trusted' in 'trusted root', there just isn't any reason for you to exist; and Symantec sure isn't inspiring any confidence.
Upvote
235
(235
/
0)
First paragraph
Do I understand that the issue is that there were 30,000 invalid certs?
Do I understand that the issue is that there were 30,000 invalid certs?
Upvote
57
(58
/
-1)
Good job, Google. 30,000 unauthorised certificates being issued is 30,000 too many; five or ten you could maybe, kinda, sorta understand, but 30,000 smacks of huge incompetence at best.
Companies who have their root certificates entrusted as part of the TLS core infrastructure need to have better checks and balances than to simply say "oops, we done goofed" after the fact. If they demonstrate - as Symantec has demonstrated - that they can't manage that, their root certificates need to be yanked out of the chain of trust as soon as possible.
It sucks, royally, for those who have paid for their certs in good faith, but this is too important an issue to simply let slide just because Symantec has signed a lot of the certificates out there.
"Their proposed action is irresponsible", claims Symantec. Would that be more, or less, irresponsible than letting 30,000 certificates get improperly issued? Symantec: get your systems in order, fix the problems, show us a reason to trust you, and then, maybe you'll have moral grounds to bitch about irresponsible actions.
Companies who have their root certificates entrusted as part of the TLS core infrastructure need to have better checks and balances than to simply say "oops, we done goofed" after the fact. If they demonstrate - as Symantec has demonstrated - that they can't manage that, their root certificates need to be yanked out of the chain of trust as soon as possible.
It sucks, royally, for those who have paid for their certs in good faith, but this is too important an issue to simply let slide just because Symantec has signed a lot of the certificates out there.
"Their proposed action is irresponsible", claims Symantec. Would that be more, or less, irresponsible than letting 30,000 certificates get improperly issued? Symantec: get your systems in order, fix the problems, show us a reason to trust you, and then, maybe you'll have moral grounds to bitch about irresponsible actions.
Upvote
208
(208
/
0)
I wonder how Symantec is going to deal with all of the customers who paid for EV. It's going to be a huge hassle for the customers.
Upvote
105
(106
/
-1)
SuinusLatinus
Ars Tribunus Militum
The problem is these entities getting TooBigToFail™, which then makes them almost invulnerable to meaningful actions.
Upvote
122
(125
/
-3)
I'd like some more details about said fuckup. The article itself isn't crystal clear. Is this a DigiNotar-sized fuckup? Less? Worse? And more important: why?
Upvote
55
(55
/
0)
Sadly, these days you can't trust anyone. In circumstances like these, recurrent mandatory audits should be required.
Upvote
44
(44
/
0)
Google isn't responsible to your customers and partners, they are responsible for all Chrome users, and even to site owners that are not your customers as well.
Upvote
145
(147
/
-2)
How much mud does Symantec's name need to accrue before we never have to hear it again?
Upvote
129
(129
/
0)
They say no customers need to take action right now...
but if you run a company that's at ALL concerned about security and you use Symantec, aren't you probably having a meeting right now about how quickly you can migrate elsewhere?
Google doesn't really have to do much here, Symantec seems to have done the thing that should make people stop using them.
but if you run a company that's at ALL concerned about security and you use Symantec, aren't you probably having a meeting right now about how quickly you can migrate elsewhere?
Google doesn't really have to do much here, Symantec seems to have done the thing that should make people stop using them.
Upvote
131
(131
/
0)
Isn't that true of pretty much any corporation in the modern age?
Upvote
40
(44
/
-4)
I don't get why Google, Facebook, Apple, etc all don't fund the three true CAs. Or open source something plus pay for operations. Or any number of other options other than allow Symantec, the Comcast of security to exist.
Also fund the R&D for replacements and different vetting schemes.
Or if there is a commercial entity, then CA has to be their sole business. Nothing like a bit of existential dread to focus efforts correctly.
Upvote
87
(88
/
-1)
Symantec brought this on themselves through years of sheer incompetence and a refusal to fix their broken process.
Good for Google for having the balls to call them out on it.
Good for Google for having the balls to call them out on it.
Upvote
106
(107
/
-1)
I've periodically pondered alternatives to the current system (e.g. distributed trust networks) but I haven't seen anything that looks truly viable given the world we have (not the one we want)..
Any references to credible alternative ideas?
Upvote
34
(34
/
0)
No. The issue is not the validity of the certificates but the trust under which they were issued. For instance: EV certificates promise Extended Validation of the legal entity requesting the certificate. Check with BBB and double check with Dun & Bradstreet, for instance. If you can skip the 'extended validation'-part by paying more, EV becomes meaningless because a fraudster with deep pockets can get an EV-certificate for his bankofamurica.com-website.
Valid certificates you should not trust, is the issue. 30,000 of them.
Upvote
117
(117
/
0)
This is probably a stupid question since I really don't know what I'm talking about: what about blockchain-based certificate authentication? Anyone with more knowledge wanna tell us why that's a good or bad idea?
Upvote
17
(25
/
-8)
Google makes so much money, and this is so fundamental to security on the internet (which they're serious about) there's no amount Symantec could pay them to make this go away.
Upvote
80
(80
/
0)
Apparently Wosign is still in business, so being persona non gratta isn't a death sentence.
Upvote
21
(21
/
0)
Dear Symantec,
I don't think "irresponsible" means what you think it means.
The Internet
I don't think "irresponsible" means what you think it means.
The Internet
Upvote
104
(104
/
0)
This level of abject failure, at this level of absolute trust, when essentially the entire internet is at stake, should probably qualify as criminal negligence; people should be going to jail.
Upvote
37
(38
/
-1)
From the comments I've read from Mozilla it looks like this is a combination of two problems. First, Symantec was creating "test" certificates for domain names they didn't control without the domain names owners' permission. Second, Symantec was hiding the fact that they were creating these improper certificates making everything difficult to audit.
When you get a cert from Let's Encrypt you still have to prove you control the domain name. Symantec wasn't always bothering to do that.
Upvote
94
(94
/
0)
Blockchains don't really help with this problem. It's essentially an interesting method of providing a data store which remains secure (ie. resistant to improper tampering) despite being widely distributed.
Technical integrity isn't really the problem with CAs. The big issue is that the CAs aren't performing due diligence before issuing certificates, potentially resulting in 100% valid certificates being issued to people who are definitely not who they claim to be. Blockchain tech doesn't help with this problem at all.
(You see a similar problem with Bitcoin; the tech itself is reasonably secure, yet it's still rife with scams)
Upvote
89
(90
/
-1)
Google should also update its PageRank algorithm to give negative points for Symantec-owned certs, the way they give positive points for SSL. This would encourage site owners to move post-haste.
Upvote
76
(81
/
-5)
This is only sometimes helpful in practice(since you can't keep people from believing incorrect things, even by belaboring the point); but it's important to remember the distinction between 'what you promise' and 'how much of what you promise you deliver'.
"Let's Encrypt" doesn't promise all that much; their system is pretty much just designed to ensure that the entity that requested the certificate has(or very recently had, their certificates do last a modest period of time after issue) operational control of the host for which the certificate is issued.
That isn't a terribly grand promise: it doesn't imply anything about the real-world owner of the site; tell you whether or not somebody compromised the host, etc. but it has the virtue of both being relatively easy and cheap to automatically verify and of being something where the most common failure mode(compromised host) isn't a threat that SSL is supposed to protect against, no matter how exhaustively vetted(it is supposed to protect the channel between you and the server from 3rd parties, not assure you that the guy running the server is trustworthy); so failures there aren't terribly serious.
To the best of my knowledge, while LE doesn't promise much, they have so far delivered it; and have avoided failures that threaten other people's sites. If my little VPS gets hacked, or my shoddy admin dashboard has an exploit, somebody else getting an LE cert for my site is quite plausible; but that's because somebody else does, indeed, have operational control of my site. Getting an LE cert without demonstrating operational control is what would be really worrisome.
And, that is where Symantec has been trouble: they've been caught issuing enormously powerful certs for high profile domains without the request of the domain holder, which are potent weapons for MiTM attacks. That is bad.
Upvote
129
(129
/
0)
Wonder if Mozilla and Microsoft are going to punish them for their carelessness as well. If so Symantec as a CA could be out of business.
Upvote
58
(59
/
-1)
Upvote
8
(10
/
-2)
Microsoft will do nothing as usual. Apple and Mozilla will punish them as well now that Google had the guts to go through with it. Can't wait to see Apple's reaction as they use Symantec EV cert on their homepage 
Upvote
49
(60
/
-11)
Comcast of security... that made me laugh out loud, even snort.
Upvote
43
(43
/
0)
- Status