Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday July 11 2020, @08:43PM   Printer-friendly
from the if-don't-do-audits-you-don't-have-findings-like-this dept.

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle:

Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.

"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."

[...] And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.

[...] "Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."

As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by MostCynical on Saturday July 11 2020, @10:55PM (5 children)

    by MostCynical (2589) on Saturday July 11 2020, @10:55PM (#1019682) Journal

    the idea of a circle of trust [zvelo.com] and is not a bad idea [ssl.com]

    The problem is the we have a top-down approach, where corporations and countries are making the rules.

    (see Little Brother [craphound.com] for discussions of distributed/ground-up alternative)

    The difficulty with bottom-up solutions is the same problem with getting people to adopt things like PGP. Encryption is not something 'average people' can bve bothered using or understanding. Only hard core techno geeks even make an effort to understand day-to-day encryption.

    Average people only care after they've been duped into using a fake website - and event then they won't start using good passwords, or different passwords on different sites. Internet Certificates, CAs, ICAs and everything else is way above their heads - they just don't have time, bandwidth or interest in finding out about this stuff - and nothing anyone can do will make them care.

    tl;dr - mozilla has power because no one cares (not enough people care enough) to do anything about any alternatives.

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by legont on Sunday July 12 2020, @12:13AM (3 children)

    by legont (4179) on Sunday July 12 2020, @12:13AM (#1019694)

    Average people only care after they've been duped into using a fake website - and event then they won't start using good passwords, or different passwords on different sites.

    Internet in general and an (stupid) idea of passwords in particular were never intended for unwashed masses. When corporations built say banking on top of it they knew exactly what they were doing and the model was simple. Banks pay for any breach and government gets perpetrators.
    Blaming the issue on regular folks is dishonest and best.
    BTW, car self driving will be the same - get ready for prison terms.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    • (Score: 2) by MostCynical on Sunday July 12 2020, @01:02AM (2 children)

      by MostCynical (2589) on Sunday July 12 2020, @01:02AM (#1019697) Journal

      this isn't (just) about banking.. visiting any website and being "certain" you're on the 'real' version is the basic effective communication issue: effective communication requires work by both the sender and the recipient.

      If the web user doesn't do their part, then it doesn't matter what the owner of the site does, there will be issues.

      As I suspect most (probably closer to all) people on the internet don't know how to verify a site's security certificates, and worse, use google to find the site (by typing the url into the search bar), this is the biggest interception target going.

      "Banks will refund" because 1. negative PR from not doing it is awful and 2. users are idiots.

      Leave the doors of your house unlocked and go away for a month, the complain the authorities didn't do enough to protect your stuff..

      tl;dr: users are responsible for security as much as the website owners. Knowing about security and demanding the site owners do better is not enough. Taking responsibility for your side is also needed.

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 2) by Runaway1956 on Sunday July 12 2020, @02:15AM

        by Runaway1956 (2926) Subscriber Badge on Sunday July 12 2020, @02:15AM (#1019703) Journal

        Unfortunately, the song you are singing sounds like, "You've got to do your part" and everyone tunes you out. It takes effort to lock things down, as you pointed out. No one wants to make any effort - none. Just give them a shiny, and they'll play with it until it won't play anymore. Then, they'll blame you for giving them a broken shiny. We just can't win.

      • (Score: 2) by legont on Sunday July 12 2020, @04:15AM

        by legont (4179) on Sunday July 12 2020, @04:15AM (#1019723)

        Leave the doors of your house unlocked and go away for a month, the complain the authorities didn't do enough to protect your stuff.

        I never lock my house for a very simple reason. The way my house was designed 60 years ago, it will take me 5 minutes to penetrate it; locked or not. I am sure a professional can do it faster.
        I do not expect authorities to protect my house. I do, however, expect them to find and punish the perpetrator. Otherwise I might do it myself and if enough people to follow my lead the law order will be gone forever.
        I do not want to stay in a house that is not penetrable by a reasonable professional. It's called a bunker. I'd rather die.
        Paranoia about your security will kill you way faster than bad guys.

        That was my short list of points. The main one though is that we - the professionals - have to design the net in such a way that a grandma can safely use it similar to walking in her backyard. Until then, we are guilty, not the users.

        --
        "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
  • (Score: 0) by Anonymous Coward on Sunday July 12 2020, @05:16AM

    by Anonymous Coward on Sunday July 12 2020, @05:16AM (#1019736)

    Mozilla's power is that it can decline to add your CA certificate into their certificate store.

    Mozilla isn't forcing anyone to do anything. The CA is free to do whatever it wants, and Mozilla is free to decide that the CA's actions pose a risk to its users, and so not add the CA's cert to its trusted CAs list.

    The CAs need someone checking up on them. Last week, it was discovered that a ton of root CAs made a mistake that allows the non-affiliated intermediate CAs that they sign to sign CRL lists for the root CA. So, these intermediates can "unrevoke" a revoked certificate-- even their own. 293 Intermediate CA certs are affected:

    https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13493.html [mail-archive.com]

    I was expecting lots of fallout from this, but I guess the 1 week rule was relaxed for this situation.