Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Google Networking Security The Internet

Google Bans Symantec Root Certificates 84

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.
This discussion has been archived. No new comments can be posted.

Google Bans Symantec Root Certificates

Comments Filter:
  • by Anonymous Coward

    not ALL symmantec certificates...

    • I bet something that broad would generate a lawsuit, possibly some kind of antitrust litigation.

      • by Anonymous Coward on Saturday December 12, 2015 @08:25PM (#51107519)

        I would say that Symantec issuing Certs with Google's name on them would qualify as egregious misrepresentation, on the behalf of Symantec, and be grounds to suing symmantec into oblivion by Google.

        Really, perhaps that's a better response for Google.

        It could even fall under the context of identity theft and grounds for criminal charges to be filed; another good response and not exclusive of a civil lawsuit based from Google.

        • I wish Google would just buy them and then shut them down. Its a much better outcome.
          • I wish Google would just buy them and then shut them down. Its a much better outcome.

            Symantec's shareholders and all of Symantec's competitors wholeheartedly agree.

            It's less clear that it would do the world any good, and very clear that it would do Google none.

      • by bwcbwc ( 601780 )

        I bet something that broad would generate a lawsuit, possibly some kind of antitrust litigation.

        RT*A: Google claims they are doing it at Symantec's request.

        As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.

  • by ttucker ( 2884057 ) on Saturday December 12, 2015 @07:04PM (#51107271)

    From TFA:

    As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.

    Later in TFA:

    Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal.

    Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products. End of story. Nobody should be affected.

    • by jbmartin6 ( 1232050 ) on Saturday December 12, 2015 @08:43PM (#51107567)
      It didn't sound like they are retiring it, they just wouldn't say what they were doing with it and requested the removal. Which I guess is sort of like a retirement, but implies they will continue to use it for some unstated purpose. Almost as if some agency were forcing them to misuse it and they are skirting some legal requirement by asking others to stop trusting it. But that is 100% speculation on my part.
    • by Anonymous Coward on Saturday December 12, 2015 @10:54PM (#51107947)

      It is a really lousy summary. This is the G1 class 3 root CA VeriSign issued in 1996! If I remember correctly, it's a 1024 bit RSA root, and it hasn't been used in production in 5+ years. Removing it permanently from being trusted will doubtless break a few ancient systems that haven't been updated in forever, but it's the right thing to do. Not a sign of anything more than obsolescence.

      • by yuhong ( 1378501 )

        Yea, Mozilla killed or limited to email this and most other 1024-bit roots sometimes ago.

    • Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products. End of story. Nobody should be affected.

      Translation: the NSA no longer needs to use certificates that are signed against this root.

  • You mean we are going to ban ALL of symantecs root certs because of a few bad apples??? ;)
    • The summary tried as hard as possible to imply that this was some acrimonious thing, but it is not.

      Symantec asked Google to distrust a specific CA root, end of story. Nobody affected in any way, except maybe people who do not install updates.

      • O cannot see the difference between one root ceritifcate owned my symatic/verisign, and an othter. So they just went bad on one root, they just move their bad practice to an other root CA they own.

        Ban all verisign(=symatic) CA issued from now on!

      • by Anonymous Coward
        No, Symantec didn't just inform Google that they should just remove the certs. Google found something "not quite right" multiple times after which they informed Symantec, and are now in the process of having the CA root cert removed. It's at THIS point that Symantec said "oh yeah, just remove it, no one will be affected". They would have never said anything had Google not found something, and they still haven't publicly made a statement.
      • Re:thats racist!!! (Score:5, Interesting)

        by TechyImmigrant ( 175943 ) on Saturday December 12, 2015 @08:53PM (#51107597) Homepage Journal

        The summary tried as hard as possible to imply that this was some acrimonious thing, but it is not.

        Symantec asked Google to distrust a specific CA root, end of story. Nobody affected in any way, except maybe people who do not install updates.

        Having spoken with some of the people involved, it certainly was an acrimonious thing.

        You would be pissed too if a big CA was signing forged certs of your web site's identity to someone else.

        • Right, Google was not happy with Symantec about that happening, and the summary is strongly trying to imply that Google is punishing Symantec by interrupting the value of their certificates... from TFA we can read that Symantec does not anticipate that any of their SSL customers will be affected.

      • by AmiMoJo ( 196126 )

        Google noticed that there were major problems with a Symantec root cert. Symantec were basically forced to ask for removal to retain accreditation on other root certs. If they can't say what this one is for, we can be 99% sure it was the government forcing them to issue it, which if itself quite a scandal. More proof that we can't trust Symantec software.

  • by Anonymous Coward

    I wind up cleaning my Android device's cert store just because there are a lot of certs that are made by foreign governments, that are not really used, but can easily be abused. China's government has one, for example. Same with Turkey and Saudi Arabia.

    What Google should do is figure out the geographical location used, disallow certs that are not directly appropriate to the region, perhaps allowing certs to be turned on/off if one travels. As it stands now, the fewer, the better.

  • by Provocateur ( 133110 ) <shedied.gmail@com> on Saturday December 12, 2015 @07:39PM (#51107385) Homepage

    Please, enough of improper use of English in our website! I don't mind so much in posts, but at least can we have decent grammar and syntax in TFS? Our website is not written by 11 year olds who missed Sesame Street's first ten seasons; they are written by adults who are expected to know that the words before and after are usually tied to a certain event, e.g. "after" the aliens came or "before" I lost all my hair. If I knew where you guys work, I could volunteer to work there full time, and help out.

  • That doesn't mean they actually have any of it to sell you.

    They do offer some of the best fake protection that you can download from torrent sites hosted in Somalia.

  • They only thing they're an authority on is processing credit cards, and they only thing they certify is that your credit card didn't bounce.

  • I was wondering why my cable company would be using an invalid certificate for the secure portions of their site. Now I know.

In every hierarchy the cream rises until it sours. -- Dr. Laurence J. Peter

Working...