Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Chrome Google Security The Internet

Google Reducing Trust In Symantec Certificates Following Numerous Slip-Ups (bleepingcomputer.com) 78

An anonymous Slashdot reader writes from a report via BleepingComputer: Google Chrome engineers announced plans to gradually remove trust in old Symantec SSL certificates and intent to reduce the accepted validity period of newly issued Symantec certificates, following repeated slip-ups on the part of Symantec. Google's decision comes after the conclusion of an investigation that started on January 19, which unearthed several problems with Symantec's certificate issuance process, such as 30,000 misused certificates. In September 2015, Google also discovered that Symantec issued SSL certificates for Google.com without authorization. Symantec blamed the incident on three rogue employees, whom it later fired. This move from Google will force all owners of older Symantec certificates to request a new one. Google hopes that by that point, Symantec would have revamped its infrastructure and will be following the rules agreed upon by all the other CAs and browser makers.
This discussion has been archived. No new comments can be posted.

Google Reducing Trust In Symantec Certificates Following Numerous Slip-Ups

Comments Filter:
  • Are editors asleep at the wheel? Google fired the employees, so the employees should be addressed in the objective case. Whom it later fired, not who.

    • I would say "you must be new here", but I see from your ID that you have been reading Slashdot for many years.
    • Objectively, it was Symantec that fired the employees.

    • by Anonymous Coward

      If you hired a law firm and obtained the services of a specific lawyer who was extremely negligent and completely threw your case to the wolves, do you find fault with the specific lawyer, or the law firm that you actually have the contract through? It's similar here - you do not buy your Symantec SSL cert from one of those three rogue employees, but rather from Symantec itself. It is the entire company that bears the burden of the misdeeds of any of its employees.

    • by Desler ( 1608317 )

      Google fired Symantec's employees? lolwut?

  • by rahvin112 ( 446269 ) on Thursday March 23, 2017 @10:39PM (#54100187)

    If there is one thing the certificate industry has proven it's that you can't trust any of them. The only solution is the automated solutions like the non-profit Let's encrypt have built. You know it's a good cert because only the person in control of the domain could get it. And I'll tell you what even with it's warts I trust it way more than I trust these damn companies that have 4 year olds signing off on certificate procedures and handing certificates to anyone with the cash.

    Ultimately it's going to be movements like Let's Encrypt that fix this trust issue by taking it out of the hands of people trying to make a buck on "trust" when none of them could be trusted.

    • by skids ( 119237 )

      You know it's a good cert because only the person in control of the domain could get it.

      ...or anyone p0wning enough of their services at any particular time.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        And?

        If somebody is capable of getting into the system far enough that they can spoof the authentication methods Let's Encrypt uses to verify ownership/control of the domain, they can also, in all likelihood, gain access to the private key as well.

        If they can gain access to the private key, then that's it: game over. Doesn't matter what you do, TLS is not going to save your customers' hides. The only way to deal with that problem is to lock down the server so they can't get back in, and create a new certific

        • by skids ( 119237 )

          There are various attack vectors that allow spoofing of those creds without access to the private key.

          What such an attacker can't likely do is answer an on-premises phone call from an extended validation CA to get a new cert for the domain in question.

          Don't get me wrong -- letsencrypt is a good thing for encouraging at least the possibility of security among those who cannot afford a real CA. But no fully automated system will ever be able to offer better guarantees than a staffed-up CA (not that all staff

    • You have a better solution? You want the US government deciding instead like ICAAN in addition to being a central point of exploit?

      If you let others self sign that means you risk having the private keys known and it's game over. Let's encrypt has same problem in which they can screw up and hand out extra certificates. Also if they are hacked and private key is leaked then game over the Internet is done as we know it. This makes me not want lots of players on the CA space

    • by AmiMoJo ( 196126 )

      Let's Encrypt doesn't verify identity, which is one of the major functions of the certificate system. The certs that Let's Encrypt offer are enough to enable HTTPS, but not to confirm the identity of the organization running the web site. Such a cert won't give you confidence that randombank.com is actually being run by Random Bank Inc.

      Put another way, if you managed to register gooogle.com you could get a Let's Encrypt cert for it. What certificate authorities are supposed to do is verify that the person r

    • That's right. Just as we fixed the crooked financial industry by starting our own distributed currency, Bitcoin, which has never had any problem.

  • by Plocmstart ( 718110 ) on Thursday March 23, 2017 @11:28PM (#54100345)

    I met a marketing exec at the Freescale Technology Forum in Austin last May. Their take on things was the good 'ol way was still the best way. I need to find his business card since he said he'd buy me lunch if Bitcoin was still around a year later.

  • by Anonymous Coward

    Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority), and to verify the site you're connecting to is indeed that site, you ask that site to sign a random number with their matching private key?

    Why, exactly, are we still fucking around with certificate authorities, decades after having the knowledge, ability, and incentive, of being able to implement something like the above?

    • by jonwil ( 467024 ) on Friday March 24, 2017 @12:48AM (#54100591)

      What you suggest exists. Its called DANE.
      However browser vendors (like Google and Mozilla) have been reluctant to implement it because there are many real-world cases where DNS servers of various sorts simply dont support DNSSEC and DANE and also because DNSSEC and DANE use weaker 1024 bit keys in some places (chosen to keep bandwidth usage lower).

      • by chihowa ( 366380 )

        Browser vendors like (Google, Mozilla, Microsoft, and Apple) don't support DANE because they're big enough to each run their own trusted (by the other browsers) CA and so they don't feel the pain of having to buy certificates and "trust" third parties. They're fully invested in the CA model: sometimes charging for continued inclusion on their root CA lists and other times proposing standards that further cement the mandatory role of CAs (Certificate Transparency).

        Just like you'll never see laws that are gen

    • > Can someone explain to me why domains don't just include a public key in their DNS record (signed all the way up to a root authority) ...
      > Why, exactly, are we still fucking around with certificate authorities

      Okay, so the DNS record would have a signed certificate. You'd have "the root authority" sign certificates? You would trust this authority for certificates, and this "certificate signing authority" would be better than having a certificate authority?

      What you've suggested can be said more

      • You still have CA, you've just decided that the CA needs to be the same people who run DNS, because ... well no good reason that I can think of. What does that gain you?

        First, this is for Domain Validation certificates only. The normal CA process would still apply if you wanted an EV certificate—though you could restrict your domain to a specific EV certificate for additional security.

        If someone has control over your domain records they can already obtain a DV certificate for your domain from just about any CA by redirecting the domain to their own servers. What DANE buys you is all the security you would get with Domain Validation minus the need to deal with two dif

        • > there are only three entities you need to trust: the domain administrator for "example.com.", the registrar for "com.", and the root authority.

          There are 900 registrars handling .com, any of which can issue a transfer and change the root DNS servers for any .com domain.

          • There are 900 registrars handling .com, any of which can issue a transfer and change the root DNS servers for any .com domain.

            So they don't keep track of which registrars are responsible for which domains? That does seem a bit messed up, if true. My impression was that there was a formal process registrars had to go through to transfer control over a domain name—or does that only restrict domain owners, and not registrars? If the control over .com domains is really as chaotic as you say then that is a separate issue that ought to be addressed independent of DANE or DNSSEC.

            Even so, DANE still gives you the benefit of domain v

            • by chihowa ( 366380 )

              The registrar doesn't sign the TLD, the administrator for that TLD does. So for .com, it's Verisign.

              • Right, but if Verisign allows any registrar to update DS records for any domain, and not just the ones they're individually responsible for, then a registrar other than your own could push a malicious DS record for your domain into the TLD where it would be duly signed by Verisign, and you're back to trusting 900 separate registrars rather than just your own authorized registrar and Verisign. The TLD should only allow one registrar to update any given domain.

  • Poor Symantec. Google is making their CA business worthless. Microsoft is making their antivirus business worthless.

    What's left? VPN?
  • the Treasury department's Inspector General's page that I used to report an IRS phishing call.

Money may buy friendship but money cannot buy love.

Working...