back to article It's a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70's show

Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week. Boom across construction area with sign denying walkers access Symantec cert holdout sites told: Those Google Chrome warnings are not a good …

  1. Jay Lenovo
    Devil

    Chrome - Teetotallers of Web Standards

    Given that many (even large) web companies forget to renew expiring certs, good luck cramming this working certificate disavowal through the public gullet.

  2. Anonymous Coward
    Anonymous Coward

    "Surfers can just click past such warnings to reach a site but this is hardly behaviour to be encouraged. "

    The punters will not be deterred. They may be initially tentative a few times - but when nothing goes amiss then they will declare it another "project fear".

    Electricity was introduced into UK homes on a large scale in the 1920/30s. When people had a repeated problem of fuses blowing they used something more reliable instead - like a large nail.

    1. Anonymous Coward
      Anonymous Coward

      >Electricity was introduced into UK homes on a large scale in the 1920/30s. When people had a repeated problem of fuses blowing they used something more reliable instead - like a large nail.

      Consequently there more more house fires and electrocutions back then, fuses blow for a reason.

      1. defiler

        Consequently there more more house fires and electrocutions back then, fuses blow for a reason.

        Whoosh!

        Yes, and this leads to more data theft and more fraudulent activity online. But people will still use the figurative nail in their browser. It's the old "it didn't happen to me, so it must be fine" gambit.

      2. a_a

        We need a Rainier Wolfcastle icon!

  3. JohnFen

    They should update their certs

    That said, I don't use Chrome and don't really trust any of the root certs anyway (more accurately, root certs don't anchor a legitimate "chain of trust", so the fact that a cert is signed by a public CA, while not meaningless, is not terribly reassuring), so it doesn't matter much to me personally if they don't.

  4. cantankerous swineherd

    internet to chrome: come on if you think you're hard enough.

    good effort by google, not sure it'll get anywhere even amongst chrome users.

  5. dnicholas

    This is just training users that skipping warning barriers is ok, even expected.

    Do not try this at the level crossings

    1. Anonymous Coward
      Anonymous Coward

      "This is just training users that skipping warning barriers is ok, even expected."

      ... or is it training the internet to expect that they need to follow what google says when they purchase certificates. If it all goes well then maybe in the future Google will start to add warnings along the lines of "you are trying to access a website that hasn't signed up to the Google web protection service and as a result we cannot allow you to continue".

  6. Crypto Monad Silver badge

    ""My guess for why organisations haven't replaced these certificates at this late stage only comes back to them not knowing the change is coming"

    More likely it's that they don't even know what certificates they've deployed and where.

    If you're very lucky, somebody might have a calendar entry for when they expire.

  7. Phil Endecott

    “Several prominent UK organisations ...

    Hill and Dale Outdoors (hillanddaleoutdoors.co.uk),

    Micro Scooters (micro-scooters.co.uk),

    External Invoicing (externalinvoicing.co.uk),

    new and used car dealer Marshall (marshall.co.uk)

    HomeoVet Animal Care (homeovet.co.uk)”

    I think I can stop worrying.

    (The homeovet people are probably trying to make the warnings go away by diluting the certificate.)

    1. Andy The Hat Silver badge

      I have sat in the corner and considered every possible semantic tweak which would allow the word "prominent" and this company list to be in the same paragraph. I even swigged some watered-down super-potent-water to help my brain function but ... nope, nothing.

      I am in the process of setting up an alternative web site for the IT professional - homeotech.ca.ck. This allows you to chuck a virtual bucket of water over any remote pc, declare it working and avoid a site visit ... We'll split the fee 90/10 (obviously I've got to factor in the cost of the homeostatic electro-fromage in the virtual water)

    2. ibmalone

      (The homeovet people are probably trying to make the warnings go away by diluting the certificate.)

      You've misunderstood how homeopathy "works": they'll be diluting a MITM attack...

    3. Timmy B

      “Several prominent UK organisations ...

      Hill and Dale Outdoors (hillanddaleoutdoors.co.uk),"

      Thanks for that - I'm after some new Meindl boots and totally forgot about them. Not bad for prices.

  8. chivo243 Silver badge

    shot in the foot

    Maybe, just maybe, Google will actually lose market share due this decision. I can't get there with chrome, Firefox or <insert fav browser here> will get me there. I still have Netscape Navigator and Camino for pesky old web interfaces that balk at new browsers. May be time to add them back to the tool set?

    At the coffee machine a colleague said if you don't want the googlish part of chrome, try chromium...

  9. Halcin

    "My guess for why organisations haven't replaced these certificates at this late stage only comes back to them not knowing the change is coming"

    Don't Know or Don't Care?

  10. PJD

    De facto 'hack me' list

    This is basically a list of web sites where the server/site manager is not doing this full time and is definitely not tracking security patches etc. ie it's basically a de facto 'come hack me' list..

    1. Youngone

      Re: De facto 'hack me' list

      Thanks PJD. That's about what I was thinking.

      If they can't be bothered, they deserve what they get.

      1. Anonymous Coward
        Anonymous Coward

        Re: De facto 'hack me' list

        It's cute how people think many of these sites have actual, full time IT management on hand, who'll rush to fix this.

        They're probably being run by the office junior who is a nephew of the MD and 'knows a bit about these computer things'.

        Yes, even in slightly larger operations that you'd think would spend on IT staff...

        And yes, they deserve a wake up call.

  11. Andy Mac

    So we’re saying that 0.1% of site admins aren’t doing their job properly? If only that ratio were applied across all jobs.

  12. John70

    Some of those site names just scream "phishing".

    They may not be but with names like that I'd think twice before visiting them.

  13. Len
    Happy

    Great news, as a Firefox user

    As a Firefox user I am happy that Google is a couple of days ahead of Firefox doing exactly the same. If it were Firefox that had to take the hit first it would have been much tougher to convince site owners they have a problem.

    "Sorry but your website is no longer working due to a faulty cert."

    "- I just checked and it's working fine here."

  14. Pseu Donyme

    I'm not entirely convinced that forcing the use of https everywhere is such a good idea. Right now this means that I can't check out bus schedules on titsa.com without passing the gauntlet of adding a security exception to Firefox. While this seems like a miscofiguration on TITSA's part (or, indeed, maybe them using one of these dodgy certificates) protecting my browsing of bus schedules doesn't seem to merit the added complexity and overhead to me: this should be a user choice i.e. typing http/https as desired (and maybe a browser setting for the default, which could be https out of the box by all means), not something that is forced on me whether I want it or not, or indeed, whether it works or not.

    I suppose there is more of a point to https everywhere in the US where the ISPs can sell their customers out; this is probably why Google has been a proponent as they'd rather not have the competition.

  15. Anonymous Coward
    Anonymous Coward

    Did Symantec and DigiCert warned their customers?

    OK, it was in the news, but I guess they have an email address to send a warning to - of course, that address to may be not read by anyone, or even the one of someone no longer working at the company....

    1. a_a

      Re: Did Symantec and DigiCert warned their customers?

      If you had a managed SSL account they did, repeatedly, even after you'd re-issued all you certs. But for people buying retail there'll be exactly the issues you mention.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like