[aklug] Chrome deprecation of certs issued by Symantec-owned CAs
Royce Williams
royce at tycho.org
Thu Mar 30 05:06:33 AKDT 2017
And here's a nice, readable summary from the Bulletproof TLS Newsletter
<https://www.feistyduck.com/bulletproof-tls-newsletter/> (free,
recommended).
(And It's a little concerning that Symantec basically responded with "meh".
I professionally recommend moving away from them as a CA. As an
alternative, I'm a big fan of Let's Encrypt <https://letsencrypt.org/about/> -
*free*, well executed, *automatically renewing*, short lifetime,
high-quality certs.)
Quoting:
Google has proposed taking very severe steps against Symantec due to
violations of its responsibilities
<https://sg.feistyduck.com/wf/click?upn=oQtz6-2BN3LpFOOQ1jijZJXM1ldT1stZa4FOoYpexB9UkNzc0jeOy8Wwb7LZNm5DHqnI9zGBMdxhxxYYa16-2FjrqZEomm-2B7extJ6NlaM18fhltIlfEDtYuibuAUGIT6zvrj_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjqXwRUrpUTftbJ-2FTAWXszb-2F2knBqsqBchh5dG7zhGGSxMDrAB8vE0Sd0nvfSDBCd3xmm8Ib-2BEPgzb-2Ba-2Fus3lO5uL17x0-2BZQ1B6a4jvyjVfbq482sTyp0gdc4q5GjJVlTIMIn3ejpkvG7sPBWfcPMsMOcaEOPNFhzsT2140J-2F0kaCqyEznxbRNFjfcO6567Gg6pfejhiBr4IU000LXRuTgQQ-3D>
as
a certificate authority. In January, it became known
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXCzXWkifVJHDncEFwYis9sTNioiE0Pyvmqwv91FM7uyp54rpA0l25-2FvK956lUE-2Fa95-2FFRpoK5JBjxia7phXeyF6pOQIQmK-2FM6YPlgO1Hh8kc3X4yt0Nk0GDmQ-2B9Q5Drc2sn6XUZyCRcjNeUegvPRqTUgo7hl6SXtI4HoTE4Xe4To_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjhmJNd8Uonhg61slBXExsKquXrh2QhhkBnzmeTz3RQ8xcyXU56o-2BXrBO8MId-2B8h9YCMLUQqzBilIMif365rZC52n1MpveJi4TFFeszMWn5TX3p29CnHmgmlUMBKcBiwk1RK7bZ9XzPil3rGeseYt9F2BPmgBpHwrRp9XX9rh6UhEV3ODF8hfNWh5NP9RqdIuyun1mswT8iPhWTrtBELAdmQ-3D>
that
Symantec had issued several certificates for domains that weren't requested
by their owners. These certificates were created by the South Korean
company Crosscert, to which Symantec had given access to its certificate
issuance infrastructure.
Over the course of the investigation, it became clear that multiple
companies had been given similar access to Symantec's infrastructure
without sufficient oversight. Symantec knew about some of the problems and
didn't come forward with that knowledge. All together, around 30,000
certificates have been issued by these companies.
Google now plans to phase out all currently valid Symantec certificates.
Via several steps, the Chrome browser would distrust certificates with
certain validity times. In the end, Symantec would only be allowed to issue
certificates with a validity of nine months in the future. Also, Symantec
would lose its ability to issue Extended Validation (EV) certificates.
Although many people question the utility of EV-certificates, they’re a
major source of income for certificate authorities due to their higher
prices .
Symantec noted that it finds Google’s actions irresponsible
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXDC-2FtDbhvFRiKTSYGxJrTMoquSZn8p2QOqTPINLQXR4g3QN-2FYmB0BRLXv6IoYXrXoUAwR2llBpEWwwBnYNHrVD8-3D_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjqeE0Rxpwkhvgud508hNJvIMH0E8apz0Pk1r-2BNKm5hPyAbzZPWA5fGwtijGTC2-2F02UmVD6Q5PaWFw4o-2BKjbo0sR15slbnsWvR2aJua7nzVQ2lf79uY9aSjeVU-2BjV6W4r0kAWK948B-2F4cxGKjcyDkg-2BlojMuX6v6XhRBeQq5-2FYFPc20ApJ-2BGOxIMZEdWOHpZeuAsuzV3QsL9mQq0TDxwnK1M-3D>.
In an emailed statement, as reported by Ars Technica
<https://sg.feistyduck.com/wf/click?upn=fYxuIZgCn6axJ2NWlsZgccdJwRwxxtwzizAPDL0Hj3htd6mSXPVknc24lX-2BypHW9z5a-2Bt3RnriHh4B7QOwZiinKiSxi3scRKkIDzr5dlZKdjnlufwPZ0WCB-2Bq0bKGC9XHQeBZ2KYFWpwUkuGGVQNC8oS9SnqjIS-2FaNri0st5G2g-3D_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjkuklnn10yKwvF-2FP-2FnvdCikomhPsH3h-2Fz8Ngnlz20v-2B24Kp7Hxj9xv4Qr8fZfEh-2BjohI10EhTSVaKGkWdaNAW83UbSjmBR-2BY-2FCy3Mu7q3jYsrIMpjDkyI0wOJ1JkIvqWfKzadTos64E560-2Fj-2Bqg0qTNsGxEVjU-2Bi8-2FV4pxYvN52mWpiN8Z3trDA94ZdTnnSwNKD8RfVN5QYa0GR0TCxjrXI-3D>,
Symantec wrote: “Our SSL/TLS certificate customers and partners need to
know that this does not require any action at this time.”
On Wed, Mar 29, 2017 at 11:57 AM, Royce Williams <royce at tycho.org> wrote:
> Urgency: not immediate - but it could impact some sites as soon as June,
> and could take some lead time to get ready, so analyze soon. And if you
> depend on visible signs of Extended Validation, that will be impacted
> almost immediately.
>
> Impact: Chrome will start distrusting Symantec certs (as well as Thawte,
> Verisign, and other CA properties owned by Symantec) on a graduated
> timeline, depending on age and duration of cert. They will also stop
> showing visible signs of Extended Validation (EV) certs immediately.
>
> Google announcement and discussion:
>
> https://groups.google.com/a/chromium.org/forum/#!msg/
> blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ
>
> Good summary of the practical upshot, with timelines:
>
> https://github.com/sleevi/explainer/blob/master/README.md
>
> Alternate checking tool:
>
> https://www.renditioninfosec.com/socapps/sslcheck/index.php
>
> I also have a feature request in with Qualys to add this to the SSL Labs
> Server Test
>
> https://github.com/ssllabs/ssllabs-scan/issues/477
>
> Royce
> --
> Royce Williams <http://www.techsolvency.com/roycewilliams/>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20170330/cd29265d/attachment.html>
More information about the aklug
mailing list