back to article Beware the looming Google Chrome HTTPS certificate apocalypse!

Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months. Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the …

  1. Anonymous Coward
    Anonymous Coward

    Class Libel Suit anyone ?

    If such a thing exists ?

    1. Lee D Silver badge

      Re: Class Libel Suit anyone ?

      Given that the inclusion of a certain CA into a certain browser is almost entirely voluntary on the part of the browser itself, there's not much you can really do about it. They could decide not to include a CA "because they're a bit smelly" and there's little to no legal recourse. Stating an opinion on the security of a CA that issues mega-wildcard-certificates is something that anyone is quite able to do... and is ALWAYS going to be negative as they simply shouldn't be doing that if they want to be a respected and trusted CA.

      The industry is about trust, not legal agreements. You don't want to use a CA that just has "a special deal" with Chrome to be included in their browser by default, I assure you. Lose the trust and you lose business. Because I bet a ton of people now won't touch Symantec or subsidiaries for a long time to come for their certificates.

      If you don't like that, don't abuse the certificate processes. It's like a baker who's been snotting into the bread complaining that someone told on him and now nobody buys his bread.

    2. John Lilburne

      Re: Class Libel Suit anyone ?

      Nah! They've just broken the internet.

      There will be so many warnings that people aren't going to take any notice and either move away from chrome or click straight through and add an exception. The same is going to happen with sites that don't have or need a SSL cert. Probably about 95% of all sites.

      Why should people install or pay for something they don't need? If Google want all sites to have SSL then Google should pay for it.

      1. Lee D Silver badge

        Re: Class Libel Suit anyone ?

        I've yet to see anyone even know how to add a certificate exception to Chrome... pretty much you can't do it as a limited user, and people don't know how. We have (finally) reached the point where people can't just click "Accept All" and then carry on spewing their details.

        Hell... try replacing Google's certificate with anything else, most browsers will throw a fit because of certificate pinning, HSTS, etc. So, no, a broken cert is a broken website nowadays and people won't be putting their cards into it because it'll come up with dire warnings in any vaguely modern browser.

        And nobody needs pay anything. LetsEncrypt lets you have free certificates accepted by any browser. But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

        It's not Google that enforces this... it's any browser.

        1. Nick Ryan Silver badge

          Re: Class Libel Suit anyone ?

          But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

          But a certificate does not secure customer data. In web browser terms it generally does nothing more than encrypt the traffic between a user's web browser and the server itself. The server could, and often does, have an application written by abject morons who put in hard coded administrator accounts, don't perform even cursory data validation on user input and leve bypasses when they can't be bothered to type in passwords. So the data is no less or more secure than it was, the https website is no less or more trusted than an http website, just that the transport of data packets between the client and the server should be reasonably secure.

          However, there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate, but in the end the presence of a certificate means nothing.

          1. Jason Bloomberg Silver badge

            Re: Class Libel Suit anyone ?

            there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate

            Not necessarily. Many will only have a certificate because they were told they needed one; to look more legit, to stop browsers blocking their sites, to avoid users phoning up or complaining, or even because others have them.

            No thought about security there.

            1. The Sprocket

              Re: Class Libel Suit anyone ?

              "there is some measure of reassurance that a website owner has put some thought into security if they do have a certificate

              Not necessarily. Many will only have a certificate because they were told they needed one; to look more legit, to stop browsers blocking their sites, to avoid users phoning up or complaining, or even because others have them.

              No thought about security there."

              * * * * * *

              Precisely. That's why to many others I speak with, this Google initiative looks like a form of extortion. It hasn't been properly thought out and presented with clarity. It just looks like a cash-grab based on fear-mongering. And now another deadline (April) is looming.

              Well, that's what I hear from some small business owner clients of mine.

              1. Orv Silver badge

                Re: Class Libel Suit anyone ?

                That's why to many others I speak with, this Google initiative looks like a form of extortion.

                Uh, except as far as I know Google doesn't sell SSL certificates. They don't stand to make a cent from this.

          2. Rabbit of Caerbannog

            Re: Class Libel Suit anyone ?

            The technology ensures the encryption. They (Symantec and it's partners that it trusted to use it's CA) had one job, to ensure that people were who they said they were.That was the value of their CA and they through lack of control destroyed that value, and then acted like it was not their problem. The only reason you include a CA is because you trust the owner to do that one thing and Symantec failed in that one thing.

            There may be a class action by cert owners but my guess is it will be against Symantec. Symantec are about the only party that can sue Google and I wish them good luck with that.

            As any competent organisation should have a process for changing certs anything above the BAU expenses of the change are entirely self inflicted. If your crappy Symantec cert cost you billions in lost sales is that Semantics' fault down to your company's failure to change the cert.

        2. John Lilburne

          Re: Class Libel Suit anyone ?

          But I'd be wary of a business that DIDN'T want to pay the pittance that SSL certificates cost in order to secure their customer data.

          Most websites aren't businesses, and don't store customer data. Fuck Google.

          1. Lee D Silver badge

            Re: Class Libel Suit anyone ?

            "Most websites aren't businesses, and don't store customer data. Fuck Google."

            What's that got to do with Chrome revoking Symantec certs?

            If you had a cert, you were securing something.

            If you didn't, you weren't.

            Nobody is (yet) outlawing plain HTTP websites.

            But with LetsEncrypt and things like auto-support in Apache, it'll only be a few years before HTTPS is the only accepted communication - which is no bad thing even for a personal website that most people have no idea of the hosting details of anyway. It means your website content can't be subverted by ISPs fiddling with your content/ads mid-transmission, as some have been caught doing.

            With HTTP, literally any idiot along the route can slip some nasty Javascript or tracking code in that your visitors will be exposed to without your knowledge. With HTTPS, it takes something actually on their computer to do the same.

            1. J. Cook Silver badge
              Go

              Re: Class Libel Suit anyone ?

              Certificates are typically used to secure the connection to the site, not the data the site stores.

              That's a different drum of bees entirely.

              And Certificate Authorities are entirely about trust, and reputation- I'll trust Let's Encrypt and Digicert (oddly enough) before I'd trust other companies like Comodo and the (soon to be dead) Symantec with trusting them to act responsibly.

              I lost faith in Verisign back when the internet was still young, because they made the (terrible) decision to sell their domain registrant lists to marketing companies. (This was before such services as domain registration privacy were even conceived!)

              Being a commercial CA means, to me at least, that your company behaves in a certain manner to the best of it's ability and does not, for example, intentionally issue wildcard certificates for domains you don't have any control over or a traceable request from the domain's actual owner to anything connected anywhere *near* the public internet. That's what killed Symantec's CA trust- they issued a wildcard certificate for google without google's permission, which got out on the public internet and them claimed that it was for a 'test lab' when google (quite rightfully) called them out on it.

              1. Rabbit of Caerbannog

                Re: Class Libel Suit anyone ?

                "I lost faith in Verisign back when the internet was still young, because they made the (terrible) decision to sell their domain registrant lists to marketing companies. (This was before such services as domain registration privacy were even conceived!)"

                Ever think that may be WHY such services as domain registration privacy were even conceived.

                You don't always assume people will behave like feckless pillocks so when they do all you can do is plug the gaps

            2. coolcity

              Re: Class Libel Suit anyone ?

              No, if you have a cert it is quite possibly because you were forced to have one by Google, not that you necessarily needed to be "securing something".

              We don't collect ANY customer data, there's nothing to order and no forms for anybody to fill in but we're now forced to have a certificate.

              I'm not against the idea in principle but it's ironic that it's Google who ultimately decide whether your site is trustworthy or not - from probably THE most untrustworthy data harvesting organisation on the planet.

              "The industry is about trust" - but it isn't. Here Google are telling you that you should not, or can't (I forget the exact wording of the warning) trust a site because they haven't obtained a certificate, NOT because they can't actually be trusted. A site might be entirely trustworthy but now they suddenly not because Google say they're not.

              What does enforcing your rules on everybody have to do with trust?

        3. Michael Wojcik Silver badge

          Re: Class Libel Suit anyone ?

          LetsEncrypt lets you have free certificates accepted by any browser

          Free DV certificates. Some organizations need EV certificates, due to regulatory regimes (e.g. PCI-DSS); or if not required to, ought to use them because they deal in sensitive data.

          Like a number of security professionals, I am far from convinced that EV certificates are worth the extra cost - there isn't much evidence to believe that CAs are providing value for money. But the point is a free DV certificate from the likes of LE is not a universal solution.

          And for all the folks complaining about Google: While I'm no fan of the Gevil Gempire, someone needs to punish misbehaving CAs. There is a long and very sorry history of CA misfeasance (Ivan Ristic's Bulletproof TLS book has a good survey), and consequences are rare. Unfortunately in this case the impact on Symantec is slight because they simply offloaded a business unit that was at best marginally profitable, and not looking to improve.

      2. The Sprocket

        Re: Class Libel Suit anyone ?

        "Nah! They've just broken the internet.

        There will be so many warnings that people aren't going to take any notice and either move away from chrome or click straight through and add an exception. The same is going to happen with sites that don't have or need a SSL cert. Probably about 95% of all sites.

        Why should people install or pay for something they don't need? If Google want all sites to have SSL then Google should pay for it."

        * * * *

        My sentiments exactly. I'm tired of Google using their half-baked browser and market-force muscle to bully people around. I hope there is a 'citizen revolt' against these knobs.

  2. Chronos
    Coat

    Indeed.

    Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

    And that was just a plug for one of its own products...

    Mine's the one with the decrapifier USB stick in the pocket.

  3. Anonymous Coward
    FAIL

    Well done Google....

    ...now people will simply ignore any alerts and just carry on.

    Almost as dumb as saying they will demote non-https sites, but of course that only affects the smaller businesses who don't give them money, so who gives a toss eh?

    1. Chronos

      Re: Well done Google....

      How exactly does promoting TLS connections for web traffic benefit Google, especially now letsencrypt is a thing? They're not a CA.

      What we really need is a DNS extension which tells the browser which CA root it can expect hosts in its domain to use. A simple TXT record with the fingerprint of the root CA certificate would do, or even the OpenSSL style hash, e.g.:

      $ORIGIN @

      _tlsca IN TXT "4042bcee,6187b673"

      1. katrinab Silver badge

        Re: Well done Google....

        Such a thing does exist, it is called a CAA record., and it was introduced last year. Righ now, most DNS services don't support it, but presumably it will get more popular.

        1. Anonymous Coward
          Anonymous Coward

          Re: Well done Google....

          Thanks chronos and katrinab - learnt something new today

        2. Chronos

          Re: Well done Google....

          @katrinab many thanks for that heads-up. Seems I have my good ideas just after everyone else :)

          Edit gawd, I'm getting old. I must have come across the docs in the wee small hours one day because it seems I already have CAA records set up on my main domain. The master DNS is right in front of me, so nobody else did it. Is that a sign of imminent Alzheimer's or is it just one more example of JIT learning not sticking?

        3. Michael Wojcik Silver badge

          Re: Well done Google....

          Such a thing does exist, it is called a CAA record., and it was introduced last year.

          Actually in 2013 (RFC 6844). The CA/Browser Forum made it mandatory (for any CA that follows the diktats of the CABF, which is at least the major ones) last year.

          And deployment is growing, if slowly. There have been hiccups;[1] most notably, Comodo was found to be not checking CAA records, which is a bit embarrassing since they invented the damn things.

          But CAA does prune some branches of the attack tree for the public X.509 PKI, and at very low cost, so that's good. Along with Certificate Transparency it may actually make the PKI slightly less dismally broken.

          [1] Hiccoughs, for non-Websterized readers.

      2. Anonymous Coward
        Anonymous Coward

        Re: Well done Google....

        How does it benefit?

        Most mom and pop shops will not have the money or expertise to install and maintain certs (and many hosts charge extra for hosting that "allows" this).

        These are also the ones that are less likely to pay Google any money for services. This is going to affect smaller site and yet again, game the system towards the bigger players, those with money.

        1. Steve Graham

          Re: Well done Google....

          "Most mom and pop shops will not have the money or expertise to install and maintain certs"

          With the hosting company I use, it literally amounted to clicking a tick box.

          1. vagabondo

            Re: Well done Google....

            If a web-site is only publishing information and not collecting secrets from the viewer, then the whole HTTPS, certificates and encrypted traffic is superfluous and an unnecessary overhead. Not everyone is involved in data slurping or transmitting private information across a public network.

            1. Anonymous Coward
              Anonymous Coward

              Re: HTTPS an unnecessary overhead

              I agree until Google stops listing in search results to anything that uses just 'http://'.

              Google rules the world only most people don't know it.

            2. Agamemnon

              Re: Well done Google....

              Ah, no. I have a "boutique" hosting company:

              * Lots of CMS.

              * Customers are all remote and travel (some are quite famous, most aren't).

              * They log in from cafes and airports and hotels to add and manage content, scheduling, check their mail and calendars.

              * Some do that "advertising" stuff.

              * I am currently sitting in a cafe in Redmond (you all know what's in Redmond...wankers) running a packet sniffer for my own personal entertainment.

              Add that up and where do you find yourself?

              * In need of *Basic Credential Security*.

              * Mitigation of MITM to some degree (waves, while sipping on a mocha).

              * Privacy of some personal or business information.

              HTTPS is a Requirement for All of my customers, period, no questions, no crying/whining/bitching/pissing/moaning because The Reality is that:

              Mobility Requires Security.

              If you log in to your CMS without HTTPS from this coffee shop right now, I Own It (and I'll link to dodgy sites just to teach you a lesson).

              Let's Encrypt allows me do this without sticker shock with the option to get Right Serious if my customer (I decide) Requires it for their use case, and we get a Heavy CA That is Trustworthy.

              I Almost partnered with Symantec and I assure you fellow Vultures, they were much more interested in sales of services and upselling their idiot "Green URL Bar" than they were about Security. They Brooke the trust, they lose the *privilege* of playing.

              Also on that list should be: Comodo, every major bank in the world, Uber (read ElReg headlines), Equifax, some hospital networks, intelligence communities, law enforcement. But, folk continue to show they have no grasp of the situation of "Trust". It seems all one needs is a boilerplate "We're sorry, we won't do it again." How many iterations of this before Regular Folk™ say, "Right, you're done?". In my experience, infinite.

              Just read the headlines.

            3. elkster88

              Re: Well done Google....

              "If a web-site is only publishing information..."

              So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack, instead of what was intended?

              OK, then.

              1. Michael Wojcik Silver badge

                Re: Well done Google....

                "If a web-site is only publishing information..."

                So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack, instead of what was intended?

                Or malicious Javascript is inserted in the response by a MITM, when the user is on some open WiFi coffeeshop network.

                I have in the past been critical of HTTPS Everywhere, but MITM script injection in an open, untrusted wireless LAN is simply too easy. HTTPS Everywhere is an unwanted overhead when I'm on my own secure network, and of course I'm running NoScript, so even when I'm out and about an attacker would have to poison and spoof some domain that's on my whitelist. But most users are not even that well protected. And while the potential damage from a hostile script is relatively low (browser process running with reduced privileges, security patches applied, etc), I don't want to waste cycles mining Monero for some random gang of assholes.

                So, unfortunately, I suspect I'll have to become a reluctant advocate for HTTPS Everywhere. The HTTP environment is simply too hostile.

              2. John Lilburne

                Re: Well done Google....

                So there's no harm done if wrong and potentially harmful information gets re-transmitted by a MITM attack,

                It doesn't need a MITM attack for that, wikipedia already serves that function on the web.

                https://www.google.co.uk/search?q=wikipedia+erroneous+facts

          2. Santa from Exeter

            Re: Well done Google....

            And of course *everyone* uses the same hosting company as you.

            1. coolcity

              Re: Well done Google....

              Everybody has the option to look for a host that doesn't charge extra for a cert. We were lucky enough to already be with one.

              I would expect this to be something that they all offer as part of the hosting package in the near future though as it becomes all but compulsory to have your site address begin with https.

          3. John Lilburne

            Re: Well done Google....

            With the hosting company I use, it literally amounted to clicking a tick box.

            Well good for you. But most people will have to pay, move their hosting site, or jump through hoops to get letsencypt to work.

            For why? The majority of sites are informational blogs and such. Due to spammers (mostly from gmail), they don't have people signing up and posting comments, and they don't sell shite. So why the fuck do they need to pay for and install crap?

            How are people in developing countries going to afford this shit?

            1. Anonymous Coward
              Anonymous Coward

              @John Lilburne Re: Well done Google....

              It's not about selling things - secure comms has moved on a lot since then and you do not have to pay for a cert - they are free as others have pointed out.

              A secure channel stops anyone injecting code into your website that is served to your readers. Therefore you informational blog doesn't have a MITM putting adverts or malware in it. It also stops the pages on the websites being tracked so that it creates less of a profile for you and your political affiliations. If you go to a news website and mainly read stories that are pro-opposition then your government might be concerned that you are an antagonist. You ISP can put their own adverts into each site you visit or a wifi hotspot could be set up that can intercept and change your traffic or load malware.

              Someone who can't work out how to install a free secure certificate probably isn't keeping their server security up to date either or running open relay servers etc. It is called nudge theory, nudging people in a direction for th egood of everyone.

              1. coolcity

                Re: @John Lilburne Well done Google....

                The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means.

                If this is what the industry (read Google) wants I can understand that but it's the way they are going about it that many of us object to. Why not insist that the hosts, those selling web space, include it a part of their product instead of forcing it on people who don't even have a clue what Google are asking them to do.

                It's the fact that Google have this much control over the web that I find disturbing, I mean its not as if they're the most trustworthy organisation out there.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @coolcity Well done Google....

                  "The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means."

                  Oh jesus, WHat are you talking about. Which middle aged lady has contacted a web host, ordered a virtual server (or dedicated/co-located), ordered a domain name and pointed it at their virtual server and is happily uploading regular baking blog posts, paying their yearly fee from their credit card? Even if they are and they can't get their provider to add a cert for them, are they really concerned that their website might show a warning saying "this site does not use security"? FFS

                  If they just use a free blogging platform then the free blogging platform will arrange certs if they feel it is needed.

                  1. John Lilburne

                    Re: @coolcity Well done Google....

                    Which middle aged lady has contacted a web host ...

                    There are a large number of people in that boat. It may be because something like blogger, or wordpress doesn't quite do what they want.

                    It could be a local plumber, tradesman, or photographer wanting to showcase their services. A simple page or two that is just giving some basic information and a contact page. Or it might be something more sophisticated.

                    Whatever the reason, they don't need a SSL cert and it is arrogant fuckwittedness, for Google and a bunch of Geek hangers on dictating to them that they need to rewrite their system for some bullshit fetish reason. What hosting platform they must use, etc

                    1. Rob D.
                      Stop

                      Re: @coolcity Well done Google....

                      > Whatever the reason, they don't need a SSL cert and it is arrogant fuckwittedness, for Google and a bunch of Geek hangers on dictating to them that they need to rewrite their system for some bullshit fetish reason.

                      Similarly there is a lack of good wits from folk asserting in thoroughly histrionic language that Google, through this action, is forcing people who currently do not use SSL certificates to start using SSL certificates.

                      Google and Mozilla withdraw trust for a range of certificates in their browsers because they state, with some cause, the certificates are compromised. Anyone who is not currently using a certificate to provide HTTPS access to their web site can continue to not use a certificate for their web site without losing or gaining anything. Anyone who does and has one of the compromised range needs another one. This isn't rocket science and it isn't a good platform for the 'Everything Google Does Is The Work of Satan' speech.

                2. Test Man

                  Re: @John Lilburne Well done Google....

                  >>The point you people understand is that some middle aged lady who writes a baking blog or some kid blogging about cats won't have a clue what you just wrote means.

                  That middle-aged lady you speak of is almost certainly not someone who has single-handidly set up their own site on a hosting service and so therefore doesn't need to worry beyond asking their third-party blogging platform company (Wordpress.com? Blogger?) whether they are checking their certs.

                  1. Anonymousse

                    Re: @John Lilburne Well done Google....

                    Lotta sexism here, you know there are middle-aged ladies who are programmers, ex-programmers or just have a brain in general, and would have no trouble setting up+coding a personal website on a host? Why is this the example? "luddite" would be more appropriate.

                    Setting up a website really isn't rocket-science, and even beginner users can go further than Wordpress/Blogger.

              2. John Lilburne

                Re: @John Lilburne Well done Google....

                A secure channel stops anyone injecting code into your website that is served to your readers.

                I think the rest of us will take cognisance of that when Google stops distributing malware, viruses, trojans, and other nasties from its app store.

                http://www.theregister.co.uk/2016/02/29/worlds_worst_android_play_store_attack_sends_millions_to_p0rn_sites/

                https://www.cnet.com/news/google-removes-android-malware-downloaded-up-to-5-9m-times/

                http://www.zdnet.com/article/phony-android-security-apps-in-google-play-store-found-distributing-malware-and-tracking-users/

                and stops people using gmail as spam signup portals. When I banned signups from gmail on the company user forum, the spam postings dropped by 80%.

                1. mootpoint
                  Joke

                  Re: @John Lilburne Well done Google....

                  When I banned signups from gmail on the company user forum, the spam postings dropped by 80%.

                  Did the total postings also drop by 80%?

            2. eldakka

              Re: Well done Google....

              > So why the fuck do they need to pay for and install crap?

              Who is enforcing anyone to pay and install crap?

              Google isn't requiring everyone to install HTTPS certificates.

              This article is about them revoking the certificates - a relatively small number - of the relatively small number of websites that actually use certificates.

              1. John Lilburne

                Re: Well done Google....

                Who is enforcing anyone to pay and install crap?

                Google isn't requiring everyone to install HTTPS certificates.

                Perhaps not with this latest crap, but they are whining about rad markimg all non https sites, or at least that's the message I'm getting from my web host. Now I know that they are just trying to sell me shite, andI can probably use let's encrypt, but that is just something else taht needs installing, and maintaining.

        2. eldakka

          Re: Well done Google....

          > Most mom and pop shops will not have the money or expertise to install and maintain certs

          What's that got to do with this?

          If you use a HTTPS cert, and if that has a Symantec authority in it's certificate chain, this will impact you.

          Only approximately 20% of HTTP sites in the entire world use HTTPS. Therefore this revocation will not affect 80% of the sites in the world - of which your "mom and pop" example most likely resides in.

          And of those 20% that are HTTPS, this will only effect a very small sub-set of those, as the cert-issuing market is quite large with much competition, and Symantec wasn't one of the bigger players in that market.

      3. CarpeNoctem

        Re: Well done Google....

        Google never does anything that doesn't directly benefit Google.

        The entire anti-democratic AMP debacle is testimony to that.

        1. Maty

          Re: Well done Google....

          'Google never does anything that doesn't directly benefit Google.'

          well, yes. I assumed from the start that's what this whole 'https:' thing was about. A year or two back some phone companies announced that they were going to be stripping out ads - including Google's adwords programme - and inserting their own.

          e.g. https://www.cnet.com/news/newspapers-to-brave-browser-dont-mess-with-our-ads-or-else/

          Google is basically an advertising company that also does search and some other stuff. Threaten their revenue stream and big G will - literally - change the web to stop you.

      4. Rabbit of Caerbannog

        Re: Well done Google....

        Big organisations that break SSL/TLS by deploying interceptors on their networks and push a crappy CA to their hapless users will just need to tamper with internal DNS relays.

    2. Anonymous Coward
      Anonymous Coward

      Well done Google, NOT

      Now Google stops trusting Symantec, GeoTrust, RapidSSL and Thawte certificats!? WTF

      And also show now a new big "NOT SECURE" for all HTTP websites. WTF^2

      source: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

      Screw the browser cartel (Goo, Moz, M$) for destroying the web.

      Mind you Amazon.com was HTTP-only (except for its login page) 1995-2017 and it was no problem at all. HTTP is completely fine for most websites. And if you are doing e-commerce, or banking, such sites have HTTPS support anyway. This is a war or HTTP for no good reason. The reason is with HTTPS you traffic is unique and you can be traced very easily. And of course Email is still sent in plain text, and there is no lobbing for S/MIME and GPG at all - because the browser cartel (who also is the email cartel) doesn't care about data privacy at all, it's all about spying the end user and tracking them. And HTTPS is a good vehicle to create a closed garden, and an ad-monopoly on top of it. Screw you. I want HTTP where ever I want. And don't forget about LAN and IoT where HTTP is irreplaceable, realistically. Getting users to install self-signed SSL certs on their LAN devices looks shady and simply doesn't work. People prefer HTTP. So stop this HTTPS-only bullshit Google!

  4. Alister

    It might have been helpful if Mr Tetelman had included the expiry date for those certificates identified as being at risk, as you may find that the normal refresh / replacement is due before the April deadline anyway.

    Certainly most of our certificates provided by Thawte or Verisign (who were Symantec owned) will have expired and been replaced by then.

    1. Boris1558

      I just go the error on a partner site with Chrome v66 and the cert being rejected Expires: Wednesday, February 6, 2019

  5. Bronek Kozicki

    Well done, Google

    I recently installed a new server and migrated friends website from Ubuntu 14.04. While doing so, I also installed letsencrypt certificate and it was very easy, thanks to "apt-get install letsencrypt". A bit of learning of nginx configuration was required, but learning is what I do. Setting up a timer to refresh the certificate bimonthly was trivial, too. One point of note: the certificate will store all alternative host names from -d parameter(s) passed to letsencrypt, but the first -d parameter is also set as CN= record of the certificate. So make sure you pass the right name first.

    Why boasting? Just to show there is absolutely no reason to stick with dinosaur CA like Symantec. If the only thing you want to show in the certificate is the host name (rather than organization name), then you do not need expensive verification and letsencrypt is your friend. If you need verification, there is plenty of competition to choose from.

    1. Anonymous Coward Silver badge
      Go

      Re: Well done, Google

      I put off using letsencrypt for ages, because I didn't want yet another untrusted program running on my servers.

      Eventually I set up proxying on the /.well-known/acme-challenge/ path and have one server running letsencrypt which then sends the generated certificates to the correct places (and reloads the appropriate services).

      OK, it's a bit complicated and I'm 112% paranoid, but it works flawlessly.

      1. Tomato42
        Stop

        Re: Well done, Google

        dude, not only is the ACME protocol open, so is the software that implements it!

        oh, you don't have time to review it? Then how on earth do you have time to review code changes in Kernel, glibc, openssl and apache/nginx?!

        1. Anonymous Coward Silver badge

          Re: Well done, Google

          I appreciate that the source is available, but I have slightly esoteric apache configs (as an example) that I don't want some automated process fiddling with. No matter how much testing and review, my config files remain sacred.

          That was just one of a myriad of potential issues that I seamlessly avoid.

  6. Anonymous Coward
    Anonymous Coward

    *checks list*

    icloud.com

    lol

    1. Anonymous Coward
      Anonymous Coward

      icloud.com

      What's there to lol about? Several companies have used Symantec certs because there was no indication that Symantec was handling them poorly (until they fucked it all up) or that Google would drop them.

      I have a few servers for which I picked up Geotrust (RapidSSL) certs because they were dirt cheap, € 45 for 3 years. I'm getting free replacement certs for the remaining term left on the original certificates, though of course getting the new certs requires a bit of work.

      I checked the list and a few domains had already replaced the certs and some had actually an earlier expiration date, but on the other hand that list only had domain (wildcard?) certs and certs for www servers and there will be plenty of subdomains and single servers with certs that are going to cause problems. Not to mention vpn/mail and other servers or appliances with certificates...!

    2. registered-on-register

      aaand it's fixed.

  7. Nick Kew

    Single point of failure

    So long as a CA is a single point of failure, trusting *any* of them might be considered a false sense of security.

    When a browser vendor takes it upon itself to trust some authorities over others, I wonder if that might lay it wide open to being held responsible for its users' losses when someone pulls a successful heist with a CA that it does trust? The argument being, by excluding Symantec, you're setting yourself up as an authority on the subject.

    1. Anonymous Coward
      Anonymous Coward

      Re: Single point of failure

      As discussed above, the browser vendors can decide who they trust, with a relatively high degree of independence.

      This is about trust, not commercial gain (although perhaps loss in Symantec's case).

      I don't think that makes them liable as an authority.

      There are few widely deployed browsers, Google happen to be first to have a go at this action though.

      1. The Sprocket

        Re: Single point of failure

        "This is about trust, not commercial gain (although perhaps loss in Symantec's case)."

        Behind the trust IS the commercial gain. There is ALWAYS a commercial gain somewhere in the chain.

  8. oiseau
    Big Brother

    Scary ...

    "That's a scary amount of power to have."

    Yes, it is.

    Very.

    1. RyokuMas
      Devil

      Re: Scary ...

      I wonder how long it will be before we see an Alphabet-backed SSL cert provider...

    2. Daggerchild Silver badge

      Re: Scary ...

      Indeed. And shouldn't abuse of such power receive punishment proportional to the power wielded?

      So, Symantec were spotted giving people, in return for cash, the power to crack anyone's encrypted web traffic, exactly negating the point of using them. What punishment would you suggest?

  9. PowerBenny
    Facepalm

    PITA

    Symantec brought this on themselves. They put profit growth, expansion and partnerships above maintaining their core business. Now they lost it all. You reap what you sow. Nothing new here.

    It's just a massive pain in the ass that thousands of sysadmins across the world now have to do extra work to make up for their dodgy business practices. Like we don't have enough to do.

    And yes, Google has a scary amount of power. Just remember that and fear and respect them appropriately.

    1. John Lilburne

      Re: PITA

      Why should sysadmins do any work? Let the chrome browser disengage itself from the intertubes.

    2. coolcity

      Re: PITA

      Fear? Definitely. Respect? Never.

  10. Kay Burley ate my hamster

    The article fails to point out...

    Symantec sold their cert business a while ago, you can get free reissued certs from the new root CA.

  11. Jonathan 27

    I don't know why anyone would buy any security products from Symantec anymore. It's like buying a bowl and getting a sieve.

  12. Jase 1
    FAIL

    Great except Digicert is FUBAR

    We have a few Symantec issued certs and have been in communication with our provider and they are basically saying that the Digicert system is up the creek so they are not able to reissue at the moment.

    "At this point in time no re-issues are being completed for this issue.

    This is due to the fact that the new Digicert system is not 100% up and running correctly to support this.

    You will be contacted over the coming weeks at a time when your order or orders are eligible for re-issue.

    You will then be informed in that email on how to complete the process.

    In the mean time please do not attempt to re-issue your order at all.

    The Digicert system is making orders fail, if this happens to your order, you will need to purchase a new one. So it is best to wait until you are contacted to re-issue."

  13. hellwig

    Maybe I'm just Dumb

    But can't we just add an exception for Symantic certs into our OS's "keystore" and bypass Google's whiny-ness?

    After-all, why would we trust our web browser to be the final arbiter of what is and isn't acceptable on the internet, when so many other applications can just directly connect in the first place?

    Long ago I pointed out that Google starting their own CA would be the end of privacy on the internet. If you use Chrome, there is nothing stopping Google from becoming a MITM attacker. You stupidly use their browser which by default is set to trust their own CA.

    Google has gone from "Don't be Evil" to "Trust Us!".

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe I'm just Dumb

      So just to be clear, you want to bypass the built in security of a specific browser, from a company that you obviously don't even like, (so why are you even using their browser in the first place?), in order to override a decision made by security experts, who are most likely quite well paid for their expertise, (plus many people outside of Google have also confirmed the same thing about these certs) in order to allow you to access web sites who are knowingly (there has been lots of press on this for months) using bad certs that are not proper providing security, just so you don't have to click through a warning telling you the certs for the site are bad!

      Are you also one of these people who thinks you don't need AV installing in Windows because you don't install pirate software or go to torrent or pron web sites, so you must be safe?

      To comment on your title, there is no Maybe about it, it's a resounding Yes, you are dumb!

      1. hellwig

        Re: Maybe I'm just Dumb

        My point was that Google Chrome is NOT the only arbiter of what is and isn't acceptable. And that relying solely on Google to police the internet is the last thing ANYONE should be advocating for (of course, posting as an AC, I can ONLY assume you are a Google shill).

        If the entire industry came out and said "No Symantec Certs", that might mean something. But this article only calls out Google and Mozilla. Where's Apple? Where's Microsoft? Web Browsers (and Android I assume is also distrusting the certs) are not the only way to access the internet.

        If only a portion moves to distrust the certs, nothing is solved.

        So WHICH highly paid experts should we listen to, the ones with apparent bias (Google's domain was hit) or the ones that haven't flat-out distrusted the certs yet?

        What AV are you running on your Chromebook? Shill!

  14. CarpeNoctem

    If I understand this correctly, and according to Google's timeline and despite Symantec selling their PKI business to DigiCert, organisations are still selling 'untrusted' certificates from Symantec's old infrastructure?

    And any newly sold 'untrusted' certificates, sold after December 1st 2017, will be 'untrusted' by Chrome from version 70 onwards? (released September this year)

    If all of this is true, how is a consumer supposed to know whether a certificate is from the old infrastructure or the new Managed Partner Infrastructure?

  15. Anonymous Coward
    Happy

    Symantec wasn't very happy, of course...

    Unlike me: I'm having a right good laugh at Symantec's expense.

  16. Kevin McMurtrie Silver badge

    Two way street

    This is a good move but it needs to happen in both directions. I'd like to see businesses block Chrome because it sends sensitive URLs, page thumbnails, and hardware usage metrics to Google. Maybe they can block Android WiFi for leaking passwords. I'd like to see GMail and Google Groups blocked more because Google makes them easy to use by scammers. Google might be helping consumers every now and then but they're still quite evil and they'll never stop abusing their market dominance without pushback.

    1. The Sprocket

      Re: Two way street

      "This is a good move but it needs to happen in both directions. I'd like to see businesses block Chrome because it sends sensitive URLs, page thumbnails, and hardware usage metrics to Google. Maybe they can block Android WiFi for leaking passwords. I'd like to see GMail and Google Groups blocked more because Google makes them easy to use by scammers. Google might be helping consumers every now and then but they're still quite evil and they'll never stop abusing their market dominance without pushback."

      * * * * * * * *

      You'll probably get a lot of thumbsdown here, but I couldn't agree more. Google has a lot of abusive bullying to atone for.

      1. coolcity

        Re: Two way street

        I agree too. Regardless of the merits of the decision I'm amazed at just how many supposedly expert contributors on here appear to actually think it's fine for an organisation as corrupt as Google are to wield this much power.

    2. peter_dtm

      Re: Two way street

      It is a mystery to me why Security people allow the normal corporate user to use google.com (.co.uk /.za etc). Meta data from what is being searched MUST give Google a massive clue as to what any specific (large) business is focusing on.

      I am amazed that the otherwise sensibly paranoid security wonks let any un-anomanised search engine be used. I would have expected them to insist on using the likes of DuckDuckGo and to have blocked google and forbidden Chrome as being totally unacceptable risks to IP

      It really is a glaring hole

  17. mark l 2 Silver badge

    I wouldn't trust any Symantec software not just their certs. I have never known such a terrible company, they consistently manage to take a good product and make it into a steaming pile of crap.

  18. Maelstorm Bronze badge
    FAIL

    What did they think was going to happen?

    Issue a *.google.com certificate without Google's permission and the blast it all over the inet?

    What did they think was going to happen?

    Maybe I should drop Chrome and move to Firefox. At least I can audit the source code.

    1. The Sprocket

      Re: What did they think was going to happen?

      "Maybe I should drop Chrome and move to Firefox. At least I can audit the source code."

      Hmmm . . . somewhere here I think I read that Firefox is considering/implementing this shaming behavior too.

  19. gbshore

    Time to start to move back to IE... BUT, there was a reason why I moved from the to begin with.... Firefox???

  20. Hans 1

    IT'S YOUR HTTPS CERTIFICATE! YOU NEED TO CHANGE IT. RIGHT NOW.

    I worked for Sym at some time, sort of ... and can admit, they are bunch of numpties. Top-level product managers are numpties, across the board.

  21. Updraft102

    PS: Mozilla's Firefox will also distrust Symantec-issued certs from version 60 onwards, due out in May this year.

    Of course. If Google does it in Chrome, Mozilla will do it with Firefox very quickly. Chrome could begin requiring that all web pages have a "Chrome is the best browser in the world" statement and a link to download Chrome, and Firefox would dutifully start requiring the Chrome promo be on all pages in its next release too.

  22. Boris1558

    As chrome 66 beta seems to have been released weeks ahead of schedule (early February instead of early March), I wonder if the production version of Chrome 66 will hit early too?

    Loren

    1. foughurpite

      Yes, Chrome 66 was released a month ahead of the date specified in this article

      There is nearly zero discussion about problems

      Maybe nobody uses Chrome, or most sites updated their certificates, or few Chrome users have updated

  23. alpine

    It's April 16th and all of a sudden Google Earth Pro is reporting an invalid security certificate to my Win 10 machine. This is totally ridiculous.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like