Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com) 177
When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
This not about security, because it does not help (Score:5, Interesting)
None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
Re:This not about security, because it does not he (Score:4, Insightful)
...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
FF FTW, but even they're getting wonky. Pale Moon??
Re:This not about security, because it does not he (Score:5, Insightful)
A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
Re: (Score:2)
Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,
No one is sure about what the GP was talking about. To quote a really shit movie: "Amazing. Everything you just said was wrong."
Re:This not about security, because it does not he (Score:5, Informative)
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
Re: (Score:2)
My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.
Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.
It's probably viewable. But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.
Re: (Score:2)
I have put a free (and worthless) "let's encrypt" cert on my page to get around this problem.
Re:This not about security, because it does not he (Score:5, Insightful)
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt.
I agree for a public site. But it's not quite free for a private web server behind the firewall of a home LAN. Like other CAs that web browsers trust by default, Let's Encrypt requires a fully qualified domain name, not an IP address in 192.168/16 or a hostname within a reserved TLD like .internal, and many dynamic DNS providers aren't on the Public Suffix List and/or don't support TXT records. Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Re:This not about security, because it does not he (Score:4, Insightful)
Re:This not about security, because it does not he (Score:5, Insightful)
google isn't a net 'newbie' they're a net 'bully'. trying to force their way upon everybody.
Don't be evil was changed (Score:5, Funny)
"Welcome to my underground lair."
Re: (Score:2)
What ever happened to "don't be evil?"
They removed that line for legal reasons. They could have been attacked on this, even in the past, "being evil" is too vague and subject to interpretation.
Re:This not about security, because it does not he (Score:5, Interesting)
Actually Firefox is the same. Mozilla have been pushing for this change too.
And Google is somewhat ahead of the curve regarding CAs and security. They know the limitations, that's why Chrome now doesn't display information from enhanced certs. Google knows they are worthless and don't identify the owner of a site reliably, do they don't display them in a little green box next to the address bar any more.
It's actually pissing off a lot of CAs. Now that Let's Encrypt offers basic certs for free, and there is no real difference between basic certs and enhanced certs, they don't have anything to sell.
Re: (Score:2)
Spot-on. They even try to "fix" TCP, apparently completely unaware that lots of really smart people have failed to do so before them. Not good. They are a Dunning-Kruger company by now.
Re: (Score:3)
Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"
You say this as if Google de-trusting this CA in October is a Google choice.
FireFox [mozilla.org] limited trust for this CA back in May already, and will be revoking it in October as well.
May 2018 (Firefox 60): Websites will show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.
October 2018 (Firefox 63): Removal/distrust of Symantec roots, with caveats described below.
Only Microsoft hasn't announced intent to do so for IE/Edge, in violation of the certificat
Re: (Score:2)
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
Name != connecting; using NAS over Internet (Score:3)
Even if one cannot open a connection to the device from the Internet, the CA still has to be able to resolve the device's name through the Internet in order to issue a certificate. Otherwise, you're stuck using self-signed certificates, and some mobile and set-top devices reportedly don't let the user examine the fingerprint of a self-signed certificate that a device presents to ensure that it is the intended certificate.
Besides, there are plenty of legitimate reasons to access network-attached storage over
Re: (Score:2)
Besides, there are plenty of legitimate reasons to access network-attached storage over the Internet.
This is what VPNs are for. Use one.
Re: (Score:2)
Even when connecting through a VPN, all browsers require an HTTPS origin in order to view a site that uses Service Workers.
Re: (Score:2)
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
I shivered when I read that. why would you even want your router or NAS web config accessible from outside your LAN?
For that matter, why the heck would you do HTTPS on internal LAN? Wasting CPU cycles on something that shouldn't even be accessible from the outside world at all. Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
Re: (Score:2)
For that matter, why the heck would you do HTTPS on internal LAN?
Because a growing number of JavaScript APIs specify that they are available on HTTPS origins and http://localhost/ [localhost] only, and nowhere else. One such API that is both limited to secure contexts [pineight.com] and relevant to streaming a video from a home NAS is the Presentation API.
Hell, if you want HTTPS on your LAN addresses, just generate your own certs and install your own root cert on client machines.
Not all client machines make it practical to install a private root certificate, particularly mobile devices or set-top devices. Nor is it advisable to install a private root certificate on devices belonging to visiting friends and relatives if t
Re: (Score:2)
I thought the network security config in the Google Chrome and Mozilla Firefox APKs was set to opt in to user certificates.
Re: (Score:2)
Re: (Score:2)
Or try the domain hackme.houghi.org and see how that is connected. Excluding local IP addresses should be standard.
Exactly this. More specifically, IANA defines 3 private subnets for internal use:
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms. Would that really be so hard??? IE doesn't even tell you when they've decided to block a page due to a TLS issue - you just get a generic "Page can't be displayed" erro
Re: (Score:2)
These should be automatically excluded from the strict TLS rules that browsers impose, especially the ones that give you no option to bypass their built-in blocking mechanisms.
Cool, so when I'm at a coffee shop, and someone hijacks the DNS and redirects my bank's site to 192.168.0.3, doing a MITM with a self-signed cert, that should be accepted by the browser? It's OK because it's a private subnet!
If you think these browser "features" can protect your data from capture when you're on a public wifi connection, I've got some bad news for you...
Re: (Score:2)
TLS itself as well as browser enforcement are designed to protect against the same kind of threats on your home network as on public WiFi. It's assumed that the network link can be monitored and modified at will, so there shouldn't be a difference. My point is weakening those restrictions for "private" subnets will have much greater consequences than just your home network, and doing that because a power user can't or won't use a FQDN to access an internal network resource will have a much larger impact on regular users elsewhere.
That should by my call, not some faceless corporations' focused on their bottom line.
Re: (Score:2)
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
Visitors invited to view internal resource (Score:2)
For an internal network you typically control all the endpoints, so you can create and trust your own CA...
Say you invite a friend or relative into your house and then invite him or her onto your guest network to view a video on your NAS. Is it typical in that case to install your root certificate on his or her machine? Because if so, that would let you MITM his or her traffic later on.
Re: (Score:2)
I doubt i'd ever do that...
I would either send the video to them, or invite them to view it on one of my existing devices.
In any case, my NAS devices are not reachable from the guest network, and a NAS would typically be accessed over SMB or NFS anyway.
Re: (Score:2)
I would either send the video to them
And it'd then have to fit onto the device's storage. A lot of especially budget phones are strapped for flash space.
or invite them to view it on one of my existing devices.
Unless said "existing devices" are already in use by another member of the household for (say) playing a video game.
Re: (Score:2)
If it's your internal network you can just create your own cert and add it to your local machine(s). That's how it's supposed to work.
Re: (Score:2)
Should it be expected for every householder to buy a domain name so that the web interface of his router, printer, and NAS can be issued a certificate for HTTPS?
Why is this relevant in a discussion about a public site?
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
Re: (Score:2)
Why is this relevant in a discussion about a public site?
It is intended as a reminder that not all sites are public, and not all parties involved in this policy change have adequately addressed the effect of this policy change on private sites.
Why is this relevant when discussing a browser that still happily shows unencrypted communication?
A browser doesn't "happily show[] unencrypted communication" if it involves a JavaScript API that is reserved for secure contexts [pineight.com].
Re: (Score:2)
Don't use that Javascript API then. Seriously 99.99% of users will be completely affected by this. The use of secure_contexts is basically non-existant.
This will mostly affect developers. You know, the kinds of people who are capable of setting up a CA to self sign certs and add their root certificate of their dev machine to their browser anyway.
Re: (Score:3)
Such governments will have fully upgraded to tech that can track all their nations users browser uses.
A VPN would be of more help than a browser.
Let the rest of the world enjoy the internet and "that" country can have its users discover the better security of a great VPN.
Re: (Score:2)
Indeed. A https-connection is very much _not_ a VPN tunnel, even if naive people may think so.
Re: (Score:2)
Do the world a favor, get a certificate for your site, even if it's just the free one from let's encrypt
Yeah, and I'm sure you're happy to install their trojan on your machine and giving it write access to your cert store so it can keep replacing the cert because they're too stubborn to issue certificates that last a year!
Re: (Score:2)
You think certificates prevent state-actor MITM in actual reality? They do not and have not for at least a decade.
The CA system was a somewhat reasonable idea with a horrible execution and utter naivety on side of its architects. It is broken and cannot be fixed.
It eliminates Blue Coat (Score:5, Insightful)
I sort of semi-agree. But...
Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.
https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.
This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.
This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.
So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
Re: (Score:2)
but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
Except that nobody has come up with a better way.
Sure, they've come up with theoretically better ways, but none that are workable.
We should come up with one of those checkbox lists like used to circulate for spam solutions ... "your plan to replace third party certificate authorities is interesting, but will not work because ... {crap ton of checkmark points}"
Solution to the second issue is certificate pinnin (Score:2)
> > Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".
> Except that nobody has come up with a better way
The better way is called "certificate pinning" and it works just the way the GP described. Your browser won't accept a Symantec certificate for Google.com because it knows Google gets its certific
Re: (Score:2)
Except that certificate pinning is being deprecated in Chrome:
Certification Authority Authorization (CAA) seems to be the replacement for preventing misissuance.
To be removed after replacement, yes (Score:2)
Thanks for the reminder. I had seen that before but forgot.
You are correct, it is slated foe removal after it is replaced with Certification Authority Authorization and Expect Certificate Transparency. High risk sites such as banks can implement both pinning and Expect-CT, along with HSTS, to be protected both now and in the future.
Before implementing pinning, one should consider the potential problems that can occur if you lose your key and make darn sure there is a secured off-site backup of the key.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Even if the site is mundane and harmless, it can still be used to perform mitm attacks against the client.
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
Re: (Score:2)
On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.
I think you meant to say "captive portal systems break HTTPS sites, along with every other non-HTTP protocol".
Anyway, there has been a standard workaround in place for this problem for a while now. Devices detect captive portals by querying a well-known URL over HTTP; if they get an unexpected response they prompt the user to sign in to the network.
Re: (Score:2)
That's bad op-sec. Any and all metadata that can be collected about you is dangerous, even if it seems trivial now. Everything should be encrypted by default, you should need a really really good reason to use plaintext.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware. Some ISPs have injected their own ads and tracking headers.
Re: (Score:2)
Re: (Score:2)
Security Karaoke
Nice. Stolen.
Re: (Score:2)
How EXACTLY is some spook knowing I like ancient arches "dangerous" to me?
Because some people will base passwords around stuff like that, or it can be used to craft highly tailored phishing attacks.
Probably it will not matter but it costs nothing in practical terms to live like it does.
Re: (Score:2)
And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses
First of all, none of that helps with a MITM attack which modifies the data coming to your system. It may help if the only thing injected is a url where the malware is located, but it doesn't help one bit if the malware is injected directly. The whole point of a MITM attack is that the data seems to be coming from the main host you're connected to.
Second, even if those were effective protection, they're only used by a tiny percentage of the population, and that's unlikely to change anytime soon. So the fact
Re: (Score:2)
Re: (Score:2)
Some ISPs have injected their own ads and tracking headers.
Ding ding! That's the real reason Google is promoting this crappy https everywhere propaganda. To get rid of any and all competition.
Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware.
TLS is NOT going to stop that. Google's blacklist is what stops that. And, sites serving malware can be detected MORE QUICKLY if they are not encrypted.
Re: (Score:2)
Re: (Score:2)
Or, just use one of many numerous exploits to install malware on the real site. It's a lot easier. It's not going to prevent you from getting malware. Sure, it may stop one of these specific MITM attacks, but they aren't really very common anyway, are they?
The really easy way is to set up a real site with a real cert and start advertising on Instagram. You can push out a lot of malware that way.
This is just security karaoke (yea, I stole it).
Re: (Score:2)
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt
To you? No. Sounds like you're not in the position for being persecuted for a thought crime. I however would recomment against browsing innocent text in some coutries, certainly not anarchists_cookbook_v1.0.txt.
And that's just it. It's not up to the content creator to determine if the viewer needs the expectation of privacy when viewing the content.
Re: (Score:2)
I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2?
You may not care if someone knows you're looking at that site, but you should care that you only recieve .txt and .jpg of ancient CPUs. Without https, a man-in-the-middle can inject whatever they want into the data, and hijack your system. Not a good thing.
Basically, it's the same reason that Linux vendors use crypto on their packages. Except they just use signatures rather than encrypting the actual data--but nothing in the w3c standards supports just using signatures, so full encryption is the only availa
Re:This not about security, because it does not he (Score:4, Insightful)
Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.
Now I'd rather they support DANE, but even what they are doing now does improve matters.
I think you're missing the point (Score:2)
The browser belongs to the user. If he wants to see the site he should be able to do so regardless of what some google security "expert" thinks is appropriate. However the "I don't care if the cert is bad, just show me the damn site NOW!" option seems to be disappearing in browsers or if its still there you have to click through half a dozen patronising Are you sure? links first.
Re: (Score:2)
None of the still-accepted certificates are any better.
Citation Required. The system has a set of rules that are followed. The remainder of the still accepted certificates have been shown to be issued in good faith, which makes them better than those issued in bad faith.
The CA system is fundamentally broken and what Google does here is not doing anything for security.
By punishing people who don't live by the rules the system is self regulating. Google not doing anything would undermine / break the CA system which otherwise is working just fine.
It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.
I would call this horseshit, but to be honest that's an insult to horseshit.
Re: (Score:2)
You are lazy and uneducated. Find your own citations, the relevant research has been around for at least a decade.
Re: (Score:2)
I did several searches on Google and couldn't find anything.
What are good terms to use?
As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
That wouldn't go to well in a court.
You're the one who seems lazy.
Ad hominem attacks don't help, I only used the lazy word because you did.
P.S. I wasn't reading the comments too carefully and may agree with you , I just noticed your way of saying it.
It's actually possible I was wrong but even if I am your comment still seems
Re: (Score:2)
Its all political at this point. How many times did COMODO screw up and they are still Trusted. Lets not talk about LetsEncrypt which passes out DV validated certs and does not even check there is some kind of payment method tied to them. Stupid
Re: (Score:2)
Stupid indeed. And from a security point-of-view, almost worthless.
Re: (Score:2)
Can't say I disagree.
Piss on it ... (Score:4, Funny)
... I'm going back to IE on my XP.
Re: (Score:2)
Re: (Score:2)
I used Opera back in the days when Moby Dick was a minnow *and it's still in my toolbox) because I could open shitloads of instances because the footprint was small.
We have tabs for that, now.
Re: (Score:3)
You can run current SeaMonkey on XP.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Changing subject, Y2K was a once-in-a-lifetime event, as I think you know.
The most entertaining part, for me, was all the trees killed on CYA boilerplate we (law firm) sent out to any address we could find and we didn't even vet to see if people, businesses, persons were even alive.
That cost thousands of dollars in postage, paper, toners, and time.
Me, I just made sure the system didn't go off the rails while they processed all that shit.
On the flip side, we demanded reciprocal letters of (legally binding) a
Re: (Score:2)
You're joking, but I do find myself using Pale Moon a lot because Chrome is so damn fussy and prescriptive. For instance I purposely run my iptables wrapper's web interface on a high port number to make it less likely hackers will try and hit it, but Chrome just flat out refuses to load the site on a high port number unless you pass a commandline argument in each time you run it. Ludicrous.
Re: (Score:2)
I have stiff in the 8000 range and have no problems.
Re: (Score:2)
I think it's because I'm running it on one of the ports that Chrome considers to be "really dangerous" because it's used by another common protocol, as specified in this list:
http://tech-stuff.org/which-po... [tech-stuff.org]
It's really rather annoying that they assume they know better than me when I explicitly specify the port in the address bar. We're not talking about XSRF here.
Re: (Score:2)
Pale Moon makes me break out in a rash.
I'm not saying that to piss you off.
There's something about it that just doesn't seem right.
I'd agree with you if your position that it's just me, OK?
I could run it while Network Monitor is up (I have WireShark but like NM better) so I could maybe see what's up, but I'm a retired and tired IT guy and I'm not in the mood to do a deep dive.
I use DuckDuckGo, Firefox in Private Browser, NoScript, ADBlock Plus, uBlock Origin and No Coin.
I erase all temp files, including bro
That's rich (Score:2)
Re: (Score:2)
Google is protecting the 'security' on identities that it wants to be the sole exploiter of.
Re: (Score:2)
Google forcing "security" on people it has already stolen identities from.
Annnnnnnd? Holy hell - you are correct! I never thought of it this way, but Got-Damn, get that post to +5
Rent-seeking behavior (Score:2)
Certificate issuance has become yet another excuse to indulge rent-seeking behaviors. Just burn it all down.
How does Let's Encrypt rent-seek (Score:3)
What's so "rent-seeking" about, say, Let's Encrypt? It issues trusted domain-validated certificates without charge to just about anyone who owns a domain name.
Re: (Score:2)
That's an exception. You can spare it the flames.
Lava (Score:2)
Squatty Potty
Not Squatty Potty!
1 in 878 sites = many? (Score:2)
1 site in every 878 not working with a browser doesn't seem like much. Have things actually gotten that stable?
I don't think slashdot has been up 1/100th of the last year. Wasn't there an outage of several days less than a year ago?
Even Amazon has had significant outages this year. Netflix was down some. No site seems above having an outage. And even if they are, there are still many times a year that my own internet goes out - certainly more often than my electricity goes out.
The internet is not a stable,
Re: (Score:2)
Re: (Score:2)
Very much my first thought - a relatively small number of incompetents or recalcitrants.
The really depressing thing about it is, the first actual examination of the numbers comes about 90% down the list of Slashdot comments.
Re: (Score:2)
Ads and your internet (Score:2)
Find a better browser.
Lesson (Score:2)
Re: (Score:2)
Re: (Score:3)
CAs are a protection racket (Score:3)
Why can't banks have other financial institutions sign their certs? Why can't Google, Facebook, Apple et al, hold a key signing party? Why can't lawyers get their certs signed by their bar association? Why can't government websites have certs signed by their governments, which in turn might be signed by other governments?
It doesn't stop CAs from being signatories too if somebody pays $$$ for them to do it. But when ONLY CAs are allowed to sign certs, the security of sites is brittle and expensive. And often the signature is worthless other than it makes some scary box go away on the browser.
Re: (Score:2)
Why can't banks have other financial institutions sign their certs?
Why can't each person individually verify and determine the trust of every request they send to the internet in order to determine their exposure and level of security? Oh wait I know the answer to this: It's fucking stupid.
Re: (Score:2)
At the end of the day even an unsigned cert is better than nothing at all. At least it affords encryption to the website. Coupled with a service like SSL lighthouse, it would be resistant to MITM style attacks too.
I'm sure browsers could produce some relatively simple way to describe the trust and assign it a s
Certs - you have to trust someone else (Score:2)
CAs are now audited and the auditing is getting much better. With certificate transparency I can check, near real time, every EV cert a CA issues. If they issue one in secret there is a high probability they will be caught.
Symantic should have been dropped a while ago, as they proved to be untrusted. They were just to
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Apple owns almost half the mobile phone market in the US and probably over 3/4 of the ones owned by middle class and up consumers. They have just as much sway to force changes in CAs as Google, they are also distrusting Symantec BTW.
Re: (Score:2)
Re: (Score:2)
Because, of course, Microsoft is so much more respectful of privacy than Google!