Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Chrome Security The Internet

Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates (bleepingcomputer.com) 172

Starting today, Google Chrome will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log. From a report: By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details. This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.
This discussion has been archived. No new comments can be posted.

Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates

Comments Filter:
  • You'll need an SPF record ... oh, and DKIM ... oh yeah, and DMARC ...
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Gotta keep throwing up those barriers to entry. Can't have the small fry getting in on Google's take, now can we?

  • by Anonymous Coward on Tuesday May 01, 2018 @09:57AM (#56535875)

    So how is this going to be implemented? Every SSL cert is going to be sent to Google for "verification" or is the CT log going to be local and the browser will just search it every time?

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Tuesday May 01, 2018 @11:09AM (#56536277)
      Comment removed based on user account deletion
      • by houstonbofh ( 602064 ) on Tuesday May 01, 2018 @11:36AM (#56536473)
        I am ready to break all cert warnings entirely. As a networking professional logging into self signed certs all day, the cure is FAR worse then the disease!
        • You shouldn't be doing that, your networking devices should have proper certs or your client system should be configured to trust a corporate CA and the network devices then have certs from that. Chances are your job requires you to have elevated privileges on all manner of important networking devices, if someone was able to MITM you they could steal some powerful credentials.

          The only times you should be logging into a device that uses a self signed cert are:

          1, initial configuration
          2, testing

          In the same vein however, it seems browsers are disabling support for weaker algorithms by default, and preventing you from turning them back on. This represents a significant problem, as there are all kinds of old devices which we still need to access for various reasons.

          • by caseih ( 160668 ) on Tuesday May 01, 2018 @02:30PM (#56537536)

            Are you joking? Self-signed certificates are secure, arguably more secure than commercial CA-signed certificates because I had to register each and every one with the browser. I created the certs myself. A MITM attack is *instantly* detectable to browsers (and to me), unlike a MITM attack using bonafide signed certificates from a breached certificate authority. Browsers make using self-signed certificates somewhat awkward, which is unfortunate. Firefox tells me, incorrectly, that my self-signed certificate is not secure. That is complete nonsense of course.

            Another secure method is to sign with your own certificate authority. Then you just have to convince the browser once to take your CA cert. Like the self-signed certificates, MITM attacks are instantly detectable. This method is preferable to self-signed certs when you have deal with more than a few.

            In my mind for internal servers and devices, my own certificate authority is far more secure than using something like Let's Encrypt.

          • by Junta ( 36770 ) on Tuesday May 01, 2018 @02:37PM (#56537584)

            The CA model is particularly bad for 'internal' devices.

            So one, for internal communications inside a home network, the warning is so scary that some devices decline to support https just to avoid the support call because a web browser called the device 'insecure'. Note that https with bad cert is considered 'terribly insecure to the point of blocking the site' and http without any cert whatsoever is 'ok'. Home networks are not going to go through the rigmarole of all this.

            For another, my internal IT department is given the ability to sign a certificate for *any* site I visit to provide support for internal devices. I am not empowered as a user to elect to impose my own nameConstraints as I import the certificate, so to secure access to router.internal.mycompany.com, I give them access to impersonate my.bank.com

            Even when the IT department has ability to sign certificates, either it's going to be uselessly lax (automatic granting of certs for whatever reason) or impractically difficult (every sign requires tedious interactions). Companies are terrible about implementing the right balance internally.

            Assuming you overcame all this, you *still* will get a warning, because that internal IT department isn't going to have it registered in a CT log. If they *do*, then others can audit that log to discern details about their network and they have *another* class of security problem to tackle. Or chrome is deployed with a policy to disable this feature for the sake of the internal devices, *again* coming back to fixing internal network behavior requiring reducing security for the wider internet.

            The problem is that roughly all discussions on this front focus on the typical 'internet' usage and fail to conceive of approaches that would make sense for internal networks.

            • by Junta ( 36770 )

              One amendment, that CT policy is better than I presumed it would be:
              http://www.chromium.org/admini... [chromium.org]

              Would have been nice to link in the article, it took me a while to find it. So this provides a more targeted way to relax the CT, which can in turn limit the efficacy of that internal CA, so it seems to be a step in the positive direction.

              Good to see progress being made in limiting the collateral damage enabling https internally can inflict, but it's still in many ways convoluted and an ill fit for how many

      • by Curunir_wolf ( 588405 ) on Tuesday May 01, 2018 @12:01PM (#56536627) Homepage Journal

        Also what about locally signed certificates, using a corporate or Intranet CA, that's installed on all computers that might use those certs?

        That was, at one point, considered a best practice, but I assume this'll break that.

        This, from TFA (I know, right?): "Google engineers have also added a Chrome policy flag that allows sysadmins to disable the CT log-checking behavior in instances Chrome is deployed inside an intranet."

        • Probably on a per host basis, like some of the other exceptions required to operate with the shitty embedded web servers in equipment that don't get updates so are still pre poodle etc. Not really ideal when you have a few hundred or maybee a few thousand.

          • by Junta ( 36770 )

            http://www.chromium.org/admini... [chromium.org]

            Seemingly on a domain level. So long as you have domain names...

            It would be interesting to treat IP based urls different from name based urls somehow... or at least private and link local addresses somehow differently (unless resolved by name)

  • This seems more and more like an effort to compel website owner/operators to buy into the SSL certificate scheme.

    Revenue.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You know you can get a ssl cert for free and have it configured in like 30 seconds with certbot, right?

      • And join the debate over whether these free alternatives are legit, or fight over whether I should have an EV instead of a DV cert, or wait for say Lets Encrypt get hammered by the cert vigilantes and have to eventually join in and pay so I can be part of the SSL charade?

        If it were so simple.

    • All websites with a fully qualified domain name qualify for a domain-validated certificate without charge from Let's Encrypt. Every certificate that Let's Encrypt issues is logged in CT.

      • by Holi ( 250190 )
        Does Let's Encrypt verify identity, I can't find anything on their site about it.

        If a CA is not verifying identity then what use is their certificate?
        • Does Let's Encrypt verify identity, I can't find anything on their site about it.

          Let's Encrypt is a domain-validating certificate authority, which issues domain-validated certificates. Every such CA verifies that the person requesting a certificate is the same person who controls the domain's DNS. What other sort of "identity" did you have in mind?

          If a CA is not verifying identity then what use is their certificate?

          If a domain registrar is not verifying identity then what use is their domain?

        • Let's Encrypt doesn't issue EV certificates, so no, they don't verify real-world identity. They verify control of the domain name, just like everyone else issuing non-EV certificates. (Put another way, for DV certificates the domain is the identity.) The distinction between DV and EV certificates long predates Let's Encrypt, and their policies regarding domain validation are no more lax than most CAs'. Stricter, actually, since with LE you have to prove that you still control the domain at least once every

        • by AmiMoJo ( 196126 )

          If a CA is not verifying identity then what use is their certificate?

          It allows your connection to the web site to be encrypted, preventing ISPs and other nefarious agents from spying on you to a limited extent.

        • Does Let's Encrypt verify identity, I can't find anything on their site about it.

          If a CA is not verifying identity then what use is their certificate?

          What identify are you trying to verify? The identify of the machine in question? That's called Domain Validation, and yes Lets Encrypt does that by requiring that you prove that the certificate being issued for domain x is actually for domain x by showing that the machine actually is in charge of domain x by changing something on domain x during the issuing process.

          If you're asking about the identity of the owner of the machine, well that's an Extended Validation certificate and Lets Encrypt doesn't issue t

      • by sl3xd ( 111641 )

        Unless Let's Encrypt has changed their policy since I started using them, a certificate has to have an FDQN that's routable on the open internet, and they verify the host(s) are listening on port 443 at least once during the creation or renewal process.

        Let's Encrypt won't issue or renew certs for anybody's internal networks, which severely limits its utility.

        • Unless Let's Encrypt has changed their policy since I started using them, a certificate has to have an FDQN that's routable on the open internet, and they verify the host(s) are listening on port 443 at least once during the creation or renewal process.

          That is true of the http-01 challenge (though the port is 80). But instead of the http-01 challenge, you can use the dns-01 challenge, which requires a FQDN that's routable on the open Internet and listening on port 53. The machine involved need not be on your private network.

          Let's Encrypt won't issue or renew certs for anybody's internal networks

          Yes it will. Here's the overall procedure to obtain a certificate from Let's Encrypt or another ACME CA using the dns-01 challenge:

          1. Buy a domain, preferably from a registrar whose bundled zone hosting has an API supported by an ACME

  • internal apps / ipmi / other things that are not online don't need real certs much less running let's LetsEncrypt with ports open so that runs.

  • A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

    Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.

    Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.

    • A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

      Are those local, self-signed certificates or something that is registered somewhere?

      You could answer that question with five seconds on a search engine. Google Search for let's encrypt certificate transparency produces, as its first result, a document [letsencrypt.org] stating the following: "We submit all certificates to Certificate Transparency logs as we issue them."

    • by kiviQr ( 3443687 )
      LetsEncrypt submits all certificates as they issue them: https://letsencrypt.org/certif... [letsencrypt.org] More details in cert transparency: https://www.certificate-transp... [certificat...arency.org]
    • by Nkwe ( 604125 )

      A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.

      Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.

      Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.

      In this context certificates perform two functions. 1) They provide a key pair which can be used to encrypt the connection, and 2) They provide a way to have confidence that the person / company on the other end of the network is who they say they are. Any certificate (a free self signed or Let's Encrypt certificate, or an expensive certificate from a commercial CA) can be safely used for just encryption. However if you care about validating who is on the other end self-signed certs are worthless, Let's Enc

  • I run a small operation and usually try to find the $50 SSL certificate so I can keep going for another year. What does this mean for me?
    • I run a small operation and usually try to find the $50 SSL certificate so I can keep going for another year. What does this mean for me?

      It depends on your certificate provider. It may require no changes on your part, if your certificate provider logs them in a CT log. If it doesn't you probably want to switch providers. There's nothing you can do to make up for them not doing it/make them (well, you can complain and see if they're fixing the problem soon enough).

      Note, Let's Encrypt (which is free) does

  • This is not retroactive, meaning SSL certificates that were issued prior to May 1, 2018, will continue to work without warnings, even if they are not in a public CT log.

    From TFA: The new CT policy is not retroactive. This means that older certs issued before today that have not been recorded in a CT log will continue to work. But if a CA has issued a new SSL cert starting today and has not recorded it in a public CT log, Chrome will show an error.

    For those who use self signed certs for whatever reason (I d

    • by rufey ( 683902 )

      And further, Devon O'Brien, a Google Engineer working on this, posted this back in October 2017 (emphasis mine):

      Since January 2015, Chrome has required that Extended Validation (EV) certificates be CT-compliant in order to receive EV status. In April 2018, this requirement will be extended to all newly-issued publicly-trusted certificates - DV, OV, and EV - and certificates failing to comply with this policy will not be recognized as trusted when evaluated by Chrome. Certificates issued from locally-trusted

  • I don't use chrome but I do some testing with it every once in a while.

    All of these security bullshit droppings in chrome is going to cause error fatigue for problems that are either not problems at all or worthless to most users.

    All kinds of shit get errors that only appear in chrome. Certs that have a CN but not SAN are flagged only in Chrome for no sane reason.

    Well known sites like https://www.kernel.org/ [kernel.org] are flagged as insecure. Again only in chrome.

    All resources protected by internal/corporate CA's I

  • Nice to see that you can view the certificate details by clicking on the "Secure" icon in the address-bar again. It was insane when they hid that under Developer Tools so you had to jump through hoops to check why a site was showing up as Insecure.

Whoever dies with the most toys wins.

Working...