Submitted via IRC for TheMightyBuzzard
Google announced in March its intent to stop trusting all Symantec-issued digital certificates due to the certificate authority's failure to play by the rules. Symantec, its subsidiaries and its partners had been accused of making too many exceptions from Baseline Requirements (BR) in favor of their customers.
The developer of the Chrome web browser initially proposed the reduction of the validity period for newly issued Symantec certificates to nine months or less, gradual distrust and replacement of all existent certificates, and the removal of extended validation (EV) status for Symantec certificates.
[...] After some debate, Google made a second proposal that involves Symantec partnering with one or more existing CAs and using their infrastructure and validation process. Symantec would still handle business relations with customers and all CAs would be cross-signed by the company.
[...] Mozilla has advised Symantec to accept Google's second proposal and said it's open to discussing its implementation. However, if Symantec refuses, Mozilla may take alternative action to "reduce the risk from potential past and future mis-issuances by Symantec, and to ensure future compliance with the BRs and with other root program requirements."
Source: http://www.securityweek.com/mozilla-tells-symantec-accept-googles-ca-proposal
(Score: 5, Informative) by NCommander on Thursday May 04 2017, @05:42PM (9 children)
Signing from the root is a horrid idea for several reasons. That's why intermediate certificates were created. The total length of the chain is usually 3 (sometimes four) certificates from the root to the leaf. SN's certificate chain is three on soylentnews.org, and four on *.soylentnews.org due to Lets Encrypt having a cross-signature from IdenTrust. The problem with signing from the root is that it means the root certificates are hard to change and manage; the root store has to be updated via system updates, browser updates, and god knows what else, and due to the fact that old crap won't have new roots means that you've got even bigger issues.
What happened here is Symanptic just gave too many people access to sign certificates, didn't QA that crap, or do anything a CA should be doing. I'm honestly surprised they didn't get the CA death penalty, but a global detrust of the Symanptic roots would probably nuke a third of the Internet include shit like Apple and PayPal (which are signed by or chain to the Symantec root certificate).
Still always moving
(Score: 2) by Nerdfest on Thursday May 04 2017, @05:47PM (1 child)
include shit like Apple and PayPal
I thought you were trying to show why it was a *bad* idea.
(Score: 0) by Anonymous Coward on Thursday May 04 2017, @05:59PM
Normies need services too!
(Score: 3, Insightful) by bradley13 on Thursday May 04 2017, @06:07PM (3 children)
Still, they should have been distrusted (detrusted?). If it nukes a third of the Internet, then it does - any place that matters would replace their cert within a day. Heck, give customers a week's warning, and the effect would be negligible.
Google is being far too nice.
Everyone is somebody else's weirdo.
(Score: 2) by zocalo on Thursday May 04 2017, @06:32PM (2 children)
UNIX? They're not even circumcised! Savages!
(Score: 2) by edIII on Thursday May 04 2017, @07:28PM (1 child)
I can't imagine why Symantec wouldn't take the deal. Considering what has happened, they are being allowed to *continue* to service the customer accounts, take money, and basically operate.
This is forced outsourcing if anything, and a 3rd party company saying we're going to help with the Q&A and cross sign your certs. They failed at the core business of a CA, and now have others helping them.
I'm reminded of Deadpool here:
They're being allowed to live and make money. That's pretty damn gentle lover-like treatment to me :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by zocalo on Thursday May 04 2017, @09:30PM
UNIX? They're not even circumcised! Savages!
(Score: 2, Disagree) by mcgrew on Thursday May 04 2017, @07:05PM (1 child)
I ran across one in Firefox yesterday from Google News. Despite there being no reason at all to need a security certificate for a well-known newspaper. It was hard (and annoying) to get past the multiple warning screens. It isn't like I was buying something or downloading software, those are the places that need certificates.
My guess was that one of their advertisers had a bad cert.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by KiloByte on Thursday May 04 2017, @09:41PM
My guess was that one of their advertisers had a bad cert.
Yet another thing that Request Policy fixes. Or at least Adblock with a good list, but advertisers multiply like vermin they are, so a blacklist-based approach is never accurate enough.
Ceterum censeo systemd esse delendam.
(Score: 0) by Anonymous Coward on Friday May 05 2017, @03:08AM
Yes, if there were no intermediate certs, the CAs would be a lot more careful about what they sign. That would increase my level of trust.