Chrome - Teetotallers of Web Standards
Given that many (even large) web companies forget to renew expiring certs, good luck cramming this working certificate disavowal through the public gullet.
Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week. Boom across construction area with sign denying walkers access Symantec cert holdout sites told: Those Google Chrome warnings are not a good …
"Surfers can just click past such warnings to reach a site but this is hardly behaviour to be encouraged. "
The punters will not be deterred. They may be initially tentative a few times - but when nothing goes amiss then they will declare it another "project fear".
Electricity was introduced into UK homes on a large scale in the 1920/30s. When people had a repeated problem of fuses blowing they used something more reliable instead - like a large nail.
Consequently there more more house fires and electrocutions back then, fuses blow for a reason.
Whoosh!
Yes, and this leads to more data theft and more fraudulent activity online. But people will still use the figurative nail in their browser. It's the old "it didn't happen to me, so it must be fine" gambit.
That said, I don't use Chrome and don't really trust any of the root certs anyway (more accurately, root certs don't anchor a legitimate "chain of trust", so the fact that a cert is signed by a public CA, while not meaningless, is not terribly reassuring), so it doesn't matter much to me personally if they don't.
"This is just training users that skipping warning barriers is ok, even expected."
... or is it training the internet to expect that they need to follow what google says when they purchase certificates. If it all goes well then maybe in the future Google will start to add warnings along the lines of "you are trying to access a website that hasn't signed up to the Google web protection service and as a result we cannot allow you to continue".
""My guess for why organisations haven't replaced these certificates at this late stage only comes back to them not knowing the change is coming"
More likely it's that they don't even know what certificates they've deployed and where.
If you're very lucky, somebody might have a calendar entry for when they expire.
“Several prominent UK organisations ...
Hill and Dale Outdoors (hillanddaleoutdoors.co.uk),
Micro Scooters (micro-scooters.co.uk),
External Invoicing (externalinvoicing.co.uk),
new and used car dealer Marshall (marshall.co.uk)
HomeoVet Animal Care (homeovet.co.uk)”
I think I can stop worrying.
(The homeovet people are probably trying to make the warnings go away by diluting the certificate.)
I have sat in the corner and considered every possible semantic tweak which would allow the word "prominent" and this company list to be in the same paragraph. I even swigged some watered-down super-potent-water to help my brain function but ... nope, nothing.
I am in the process of setting up an alternative web site for the IT professional - homeotech.ca.ck. This allows you to chuck a virtual bucket of water over any remote pc, declare it working and avoid a site visit ... We'll split the fee 90/10 (obviously I've got to factor in the cost of the homeostatic electro-fromage in the virtual water)
Maybe, just maybe, Google will actually lose market share due this decision. I can't get there with chrome, Firefox or <insert fav browser here> will get me there. I still have Netscape Navigator and Camino for pesky old web interfaces that balk at new browsers. May be time to add them back to the tool set?
At the coffee machine a colleague said if you don't want the googlish part of chrome, try chromium...
It's cute how people think many of these sites have actual, full time IT management on hand, who'll rush to fix this.
They're probably being run by the office junior who is a nephew of the MD and 'knows a bit about these computer things'.
Yes, even in slightly larger operations that you'd think would spend on IT staff...
And yes, they deserve a wake up call.
As a Firefox user I am happy that Google is a couple of days ahead of Firefox doing exactly the same. If it were Firefox that had to take the hit first it would have been much tougher to convince site owners they have a problem.
"Sorry but your website is no longer working due to a faulty cert."
"- I just checked and it's working fine here."
I'm not entirely convinced that forcing the use of https everywhere is such a good idea. Right now this means that I can't check out bus schedules on titsa.com without passing the gauntlet of adding a security exception to Firefox. While this seems like a miscofiguration on TITSA's part (or, indeed, maybe them using one of these dodgy certificates) protecting my browsing of bus schedules doesn't seem to merit the added complexity and overhead to me: this should be a user choice i.e. typing http/https as desired (and maybe a browser setting for the default, which could be https out of the box by all means), not something that is forced on me whether I want it or not, or indeed, whether it works or not.
I suppose there is more of a point to https everywhere in the US where the ISPs can sell their customers out; this is probably why Google has been a proponent as they'd rather not have the competition.