SoylentNews is people
SoylentNews
from the if-don't-do-audits-you-don't-have-findings-like-this dept.
Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.
A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.
"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.
"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."
[...] And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.
[...] "Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."
As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.
(Score: 1, Funny) by Anonymous Coward on Saturday July 11 2020, @09:35PM
If you break the internet and I can't access porn after July 11, I'm going to sue you.
(Score: 4, Insightful) by fustakrakich on Saturday July 11 2020, @09:45PM (7 children)
This "cert" business is no damn good. It just centralizes authority, the very last thing we should tolerate on the WAN
La politica e i criminali sono la stessa cosa..
(Score: 5, Insightful) by MostCynical on Saturday July 11 2020, @10:55PM (5 children)
the idea of a circle of trust [zvelo.com] and is not a bad idea [ssl.com]
The problem is the we have a top-down approach, where corporations and countries are making the rules.
(see Little Brother [craphound.com] for discussions of distributed/ground-up alternative)
The difficulty with bottom-up solutions is the same problem with getting people to adopt things like PGP. Encryption is not something 'average people' can bve bothered using or understanding. Only hard core techno geeks even make an effort to understand day-to-day encryption.
Average people only care after they've been duped into using a fake website - and event then they won't start using good passwords, or different passwords on different sites. Internet Certificates, CAs, ICAs and everything else is way above their heads - they just don't have time, bandwidth or interest in finding out about this stuff - and nothing anyone can do will make them care.
tl;dr - mozilla has power because no one cares (not enough people care enough) to do anything about any alternatives.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by legont on Sunday July 12 2020, @12:13AM (3 children)
Internet in general and an (stupid) idea of passwords in particular were never intended for unwashed masses. When corporations built say banking on top of it they knew exactly what they were doing and the model was simple. Banks pay for any breach and government gets perpetrators.
Blaming the issue on regular folks is dishonest and best.
BTW, car self driving will be the same - get ready for prison terms.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by MostCynical on Sunday July 12 2020, @01:02AM (2 children)
this isn't (just) about banking.. visiting any website and being "certain" you're on the 'real' version is the basic effective communication issue: effective communication requires work by both the sender and the recipient.
If the web user doesn't do their part, then it doesn't matter what the owner of the site does, there will be issues.
As I suspect most (probably closer to all) people on the internet don't know how to verify a site's security certificates, and worse, use google to find the site (by typing the url into the search bar), this is the biggest interception target going.
"Banks will refund" because 1. negative PR from not doing it is awful and 2. users are idiots.
Leave the doors of your house unlocked and go away for a month, the complain the authorities didn't do enough to protect your stuff..
tl;dr: users are responsible for security as much as the website owners. Knowing about security and demanding the site owners do better is not enough. Taking responsibility for your side is also needed.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Runaway1956 on Sunday July 12 2020, @02:15AM
Unfortunately, the song you are singing sounds like, "You've got to do your part" and everyone tunes you out. It takes effort to lock things down, as you pointed out. No one wants to make any effort - none. Just give them a shiny, and they'll play with it until it won't play anymore. Then, they'll blame you for giving them a broken shiny. We just can't win.
(Score: 2) by legont on Sunday July 12 2020, @04:15AM
I never lock my house for a very simple reason. The way my house was designed 60 years ago, it will take me 5 minutes to penetrate it; locked or not. I am sure a professional can do it faster.
I do not expect authorities to protect my house. I do, however, expect them to find and punish the perpetrator. Otherwise I might do it myself and if enough people to follow my lead the law order will be gone forever.
I do not want to stay in a house that is not penetrable by a reasonable professional. It's called a bunker. I'd rather die.
Paranoia about your security will kill you way faster than bad guys.
That was my short list of points. The main one though is that we - the professionals - have to design the net in such a way that a grandma can safely use it similar to walking in her backyard. Until then, we are guilty, not the users.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Sunday July 12 2020, @05:16AM
Mozilla's power is that it can decline to add your CA certificate into their certificate store.
Mozilla isn't forcing anyone to do anything. The CA is free to do whatever it wants, and Mozilla is free to decide that the CA's actions pose a risk to its users, and so not add the CA's cert to its trusted CAs list.
The CAs need someone checking up on them. Last week, it was discovered that a ton of root CAs made a mistake that allows the non-affiliated intermediate CAs that they sign to sign CRL lists for the root CA. So, these intermediates can "unrevoke" a revoked certificate-- even their own. 293 Intermediate CA certs are affected:
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13493.html [mail-archive.com]
I was expecting lots of fallout from this, but I guess the 1 week rule was relaxed for this situation.
(Score: 3, Informative) by FatPhil on Monday July 13 2020, @07:31AM
When browsers started treating self-signed certificates as less secure than commercially acquired ones was when I realised all hope was lost. A self-signed certificate answers the question "do I trust you?" with "I trust you now if I previously trusted you", which hopefully should be tautologically true. Of course the bootstrapping is the hard part, but handing a few sheckels over to Honest Akhmed should never be considered a solution to that problem either.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Troll) by Runaway1956 on Saturday July 11 2020, @10:22PM (1 child)
St. Greta wants to know if they have enough carbon credits to offset all the carbon from the furnace.
(Score: 2) by c0lo on Saturday July 11 2020, @11:33PM
Relax, they are burning them in a hydrogen flame.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by Frosty Piss on Sunday July 12 2020, @04:50AM
Fortunately I use Let’s Encrypt.