Jump to content

Google & Symantec - Certificate Wars


Teken

Recommended Posts

During 2015, 2016, and moving into 2017 the failure points in the idea of using certificates has come under huge scrutiny. Regardless of what people may think or believe the bulk of the world evolves around the principle of the *Honor System*.

 

Where by a person / company offers enough trusts that said person / company will follow rules and guidelines which have been agreed upon and developed by many.

 

This is the perfect example of why this sort of thing will never work in the long run: https://www.engadget.com/2017/03/28/google-and-symantec-go-to-war-over-our-internet-security/

 

There have been countless stories not just about Symantec but other vendors who are charged with issuing said certificates. 

 

Which are completely worthless because the people behind said issuance are just as worthless. The sad reality is many of the general public will either have to put their hands up in disgust and accept this Gong Show.

 

Or at the very least take measures into their own hands by using all manner of technology and invest even more money to protect their privacy & security. 2017 will go down as the starting point where Big Brother will be omni present and your on line / off line presence will be tracked to the Nth degree!

 

Don't for a moment think a certificate that says its securing your session is the final indicator - because it isn't . . . 

Link to comment

Yup, Google is out for Google, even if they have to disrupt every person browsing the Internet, with their aggressive tactics.

 

I see they have started their constant pop-ups and other in-your-face tactics, again.

 

I try to avoid their half-baked browsers as much as possible. I like to see all the webpages. Every time I am forced to use Chrome I can't believe how much of the Internet is missing.

 

Chrome's big claim-to-fame was that it was so much faster on specially designed websites (the old CPU speed scam). Then along came IE 11 and they don't claim that anymore.

 

It seems they need kicking down a notch.

Link to comment

If Symantec issued certs improperly, I'm OK with Chrome not recognizing them as trusted. But if Google wants to now become the police of SSL certs, then they need to play fair and treat other vendors the same way. This just looks like a pissing match...

 

Also, does anybody really care that a site has a cert from Symantec anymore? I remember the begining stages when a Verisign seal on a site made me feel good, but not anymore. I really don't care. I get EV certs for 1/10th the price they charge with the same level of protection. My customers don't care who issued it as long as they are protected.

Link to comment

Does a certificate issued because somebody paid money offer any form of security?

 

It all sounds like a scam to me. A son of mine has never installed an anti- virus scanner in the last ten years and never had a virus problem either. OTOH people using Symantec's all powerful, take over you computer software, are constantly pestered with "malware".

 

Maybe Symantec needs a kick in the pants. Will we ever know, for sure?

Link to comment

Yes, it offers a huge amount of security. The reason why companies like Symantec charge more for their certs is not because they are more secure (they are the same as a free LetsEncrypt very) but because Symantec offers a huge insurance policy for any type of loss or damage if the SSL was breached. They also throw in crap that is useless, like a daily scan of your website.

 

These days there is no excuse to not secure your site, especially when you can get certs for free. For this forum I had to make a password not used on any other accounts I have (which is good practice) because this forum doesn't have a cert so every switch/router/firewall/network/you name it , can see my login credentials in plain text as it passes through their equipment.

 

The lender for my vehicle had an invalid SSL certificate on their site for nearly 6 months. I refused to pay online because of this. I finally got tired and did a whois look-up and contacted the company in charge of their site and explained the issue. I was basically blown off and told that they know what they are doing and to not worry, so I told them they better have a good insurance policy and hung up. The next day it was fixed...

Link to comment

MustangChris04,

Symantec's insurance doesn't help you if you bought your certificate from someone else but Symantec fraudulently issues a certificate for your domain (which is what happened in this case). They issued something like 30,000 fraudulent certificates. They claimed the issue was fixed and it was found they were still issuing improper certs (which is why Google put them in the penalty box).

 

A more in-depth analysis than Engadget provides is available here and here.

This isn't the first time this has happened either. Other CAs like Verisign, DigiNotar, Comodo, and Trustwave have all had security breaches or outright committed fraud where they issued fraudulent certificates. At least one of them (DigiNotar) has gone under because of it.

The CA model is broken, because any CA can issue a certificate for any domain. So you're not just trusting the Certificate Authority that issued the certificate, you have to trust all 200+ CAs in the average trust list. There have been some proposed ways to fix the model including HPKP and DANE, which hopefully gain some traction. DANE is a particular favourite of mine, because once it becomes widely supported, it removes the requirement for CAs altogether.

Link to comment

Archived

This topic is now archived and is closed to further replies.


  • Recently Browsing

    • No registered users viewing this page.
  • Who's Online (See full list)

    • There are no registered users currently online
  • Forum Statistics

    • Total Topics
      36.6k
    • Total Posts
      368.3k
×
×
  • Create New...