Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Chrome The Internet

Chrome 70's Upcoming Security Change Will Break Hundreds of Sites (techcrunch.com) 177

When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. "Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates," reports TechCrunch. From the report: [D]espite more than a year to prepare, many popular sites are not ready. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few. Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.

HTTPS certificates encrypt the data between your computer and the website or app you're using, making it near-impossible for anyone -- even on your public Wi-Fi hotspot -- to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you're visiting by ensuring the pages haven't been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority.
For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.
This discussion has been archived. No new comments can be posted.

Chrome 70's Upcoming Security Change Will Break Hundreds of Sites

Comments Filter:
  • by gweihir ( 88907 ) on Monday October 08, 2018 @09:10PM (#57448882)

    None of the still-accepted certificates are any better. The CA system is fundamentally broken and what Google does here is not doing anything for security. It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.

    • by thoughtlover ( 83833 ) on Monday October 08, 2018 @09:16PM (#57448906)

      ...not doing anything for security. It does create a false sense of security though (making things actually worse).../p>

      A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http. Seriously... I wish I was joking. My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.

      FF FTW, but even they're getting wonky. Pale Moon??

      • A valid assessment... and, Google's being quite the hypocrite by delivering THEIR OWN search results via http.

        Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,

        • Uh, google.com has been HTTPS only for some time now. Not sure what you're talking about,

          No one is sure about what the GP was talking about. To quote a really shit movie: "Amazing. Everything you just said was wrong."

      • by thegarbz ( 1787294 ) on Tuesday October 09, 2018 @04:21AM (#57449682)

        My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.

        Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.

        • My personal domain with my artwork isn't viewable via Chrome or Safari because it doesn't have (or need) a cert.

          Err. no. If your personal domain isn't viewable then you fucked something up that is completely unrelated to certificates or not.

          It's probably viewable. But Chrome puts this scary "Not secure" banner at the top of the page. Prompting visitors to leave right away that don't know what's going on.

      • by gweihir ( 88907 )

        I have put a free (and worthless) "let's encrypt" cert on my page to get around this problem.

    • by Anonymous Coward on Monday October 08, 2018 @09:46PM (#57449018)

      I sort of semi-agree. But...

      Lest you forget, Symantec gave root authority to Blue Coat, an firm selling network sniffing software.

      https://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/

      Which let Blue Coat fake certs for websites and browsers that did not authorize it. In effect Symantec authorized this man in the middle attack on their behalf.

      This was after an incident where Symantec were caught issuing fake Google certificates, which they claimed was 'testing/accidentally released'.

      This was after the Snowden reveal that some unnamed certificate authority had been issuing fake Google certs to NSA for intercepting Google's internal communications.

      So, it DOES help security, but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".

      • but yeh, the basic problem is you're trusting a third party to verify a website as real, and that third party is not trustable. Trust should be built up over time, which means you cannot permit silent revokes of certificates or silent changes to certificates. Every browser should track every certificate and scream blue murder if the certificate is ever changed : "alert alert alert, this website you've been dealing with for 3 years suddenly has a new certificate from a new authority, go see WTF is happening".

        Except that nobody has come up with a better way.

        Sure, they've come up with theoretically better ways, but none that are workable.

        We should come up with one of those checkbox lists like used to circulate for spam solutions ... "your plan to replace third party certificate authorities is interesting, but will not work because ... {crap ton of checkmark points}"

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Monday October 08, 2018 @10:38PM (#57449106)
      Comment removed based on user account deletion
      • by Bert64 ( 520050 )

        Even if the site is mundane and harmless, it can still be used to perform mitm attacks against the client.

        On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.

        • On the other hand, HTTPS sites break the captive portal system used on a lot of wifi networks.

          I think you meant to say "captive portal systems break HTTPS sites, along with every other non-HTTP protocol".

          Anyway, there has been a standard workaround in place for this problem for a while now. Devices detect captive portals by querying a well-known URL over HTTP; if they get an unexpected response they prompt the user to sign in to the network.

      • by AmiMoJo ( 196126 )

        That's bad op-sec. Any and all metadata that can be collected about you is dangerous, even if it seems trivial now. Everything should be encrypted by default, you should need a really really good reason to use plaintext.

        Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware. Some ISPs have injected their own ads and tracking headers.

        • Comment removed based on user account deletion
          • Security Karaoke

            Nice. Stolen.

          • How EXACTLY is some spook knowing I like ancient arches "dangerous" to me?

            Because some people will base passwords around stuff like that, or it can be used to craft highly tailored phishing attacks.

            Probably it will not matter but it costs nothing in practical terms to live like it does.

          • by Xtifr ( 1323 )

            And as far as a MITM? I have my browser locked down with Ublock AND Privacy Badger, the DNS automatically blacklists malware addresses

            First of all, none of that helps with a MITM attack which modifies the data coming to your system. It may help if the only thing injected is a url where the malware is located, but it doesn't help one bit if the malware is injected directly. The whole point of a MITM attack is that the data seems to be coming from the main host you're connected to.

            Second, even if those were effective protection, they're only used by a tiny percentage of the population, and that's unlikely to change anytime soon. So the fact

          • Comment removed based on user account deletion
        • Some ISPs have injected their own ads and tracking headers.

          Ding ding! That's the real reason Google is promoting this crappy https everywhere propaganda. To get rid of any and all competition.

          Also consider the potential for interference via MITM attack on HTTP. You could be getting served malware.

          TLS is NOT going to stop that. Google's blacklist is what stops that. And, sites serving malware can be detected MORE QUICKLY if they are not encrypted.

          • Comment removed based on user account deletion
            • Or, just use one of many numerous exploits to install malware on the real site. It's a lot easier. It's not going to prevent you from getting malware. Sure, it may stop one of these specific MITM attacks, but they aren't really very common anyway, are they?

              The really easy way is to set up a real site with a real cert and start advertising on Instagram. You can push out a lot of malware that way.

              This is just security karaoke (yea, I stole it).

      • I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt

        To you? No. Sounds like you're not in the position for being persecuted for a thought crime. I however would recomment against browsing innocent text in some coutries, certainly not anarchists_cookbook_v1.0.txt.

        And that's just it. It's not up to the content creator to determine if the viewer needs the expectation of privacy when viewing the content.

      • by Xtifr ( 1323 )

        I mean is there a reason I should give a single flying flipping fuck if someone knows I'm looking at a simple website serving only .txt and .jpg of ancient CPUs designs like 8088 and AMD K2?

        You may not care if someone knows you're looking at that site, but you should care that you only recieve .txt and .jpg of ancient CPUs. Without https, a man-in-the-middle can inject whatever they want into the data, and hijack your system. Not a good thing.

        Basically, it's the same reason that Linux vendors use crypto on their packages. Except they just use signatures rather than encrypting the actual data--but nothing in the w3c standards supports just using signatures, so full encryption is the only availa

    • by Pinky's Brain ( 1158667 ) on Monday October 08, 2018 @11:19PM (#57449200)

      Google's policies impose an opportunity cost for any CA issuing false certificates. CA's can still be abused, but that abuse turns a CA into a very expensive weapon which can only be used for a very limited time and then becomes useless. By showing that no CA is too big to fail they provide a valuable service. When abuse becomes more expensive, it's reduced ... capitalism works.

      Now I'd rather they support DANE, but even what they are doing now does improve matters.

      • The browser belongs to the user. If he wants to see the site he should be able to do so regardless of what some google security "expert" thinks is appropriate. However the "I don't care if the cert is bad, just show me the damn site NOW!" option seems to be disappearing in browsers or if its still there you have to click through half a dozen patronising Are you sure? links first.

    • None of the still-accepted certificates are any better.

      Citation Required. The system has a set of rules that are followed. The remainder of the still accepted certificates have been shown to be issued in good faith, which makes them better than those issued in bad faith.

      The CA system is fundamentally broken and what Google does here is not doing anything for security.

      By punishing people who don't live by the rules the system is self regulating. Google not doing anything would undermine / break the CA system which otherwise is working just fine.

      It does create a false sense of security though (making things actually worse) and it does inconvenience a lot of people.

      I would call this horseshit, but to be honest that's an insult to horseshit.

      • by gweihir ( 88907 )

        You are lazy and uneducated. Find your own citations, the relevant research has been around for at least a decade.

        • I did several searches on Google and couldn't find anything.
          What are good terms to use?

          As for a real answer, the burden of proof lies on the accuser, not just, "I'm right, you prove it."
          That wouldn't go to well in a court.
          You're the one who seems lazy.
          Ad hominem attacks don't help, I only used the lazy word because you did.

          P.S. I wasn't reading the comments too carefully and may agree with you , I just noticed your way of saying it.
          It's actually possible I was wrong but even if I am your comment still seems

    • by DarkOx ( 621550 )

      Its all political at this point. How many times did COMODO screw up and they are still Trusted. Lets not talk about LetsEncrypt which passes out DV validated certs and does not even check there is some kind of payment method tied to them. Stupid

  • by CaptainDork ( 3678879 ) on Monday October 08, 2018 @09:15PM (#57448900)

    ... I'm going back to IE on my XP.

    • Good luck rendering HTML5.
    • You can run current SeaMonkey on XP.

    • ...on a 80286?
    • IE6 is great if you need to retrieve some old pages of the y2k zone from web archive.
      • Changing subject, Y2K was a once-in-a-lifetime event, as I think you know.

        The most entertaining part, for me, was all the trees killed on CYA boilerplate we (law firm) sent out to any address we could find and we didn't even vet to see if people, businesses, persons were even alive.

        That cost thousands of dollars in postage, paper, toners, and time.

        Me, I just made sure the system didn't go off the rails while they processed all that shit.

        On the flip side, we demanded reciprocal letters of (legally binding) a

    • by jez9999 ( 618189 )

      You're joking, but I do find myself using Pale Moon a lot because Chrome is so damn fussy and prescriptive. For instance I purposely run my iptables wrapper's web interface on a high port number to make it less likely hackers will try and hit it, but Chrome just flat out refuses to load the site on a high port number unless you pass a commandline argument in each time you run it. Ludicrous.

      • I have stiff in the 8000 range and have no problems.

        • by jez9999 ( 618189 )

          I think it's because I'm running it on one of the ports that Chrome considers to be "really dangerous" because it's used by another common protocol, as specified in this list:

          http://tech-stuff.org/which-po... [tech-stuff.org]

          It's really rather annoying that they assume they know better than me when I explicitly specify the port in the address bar. We're not talking about XSRF here.

      • Pale Moon makes me break out in a rash.

        I'm not saying that to piss you off.

        There's something about it that just doesn't seem right.

        I'd agree with you if your position that it's just me, OK?

        I could run it while Network Monitor is up (I have WireShark but like NM better) so I could maybe see what's up, but I'm a retired and tired IT guy and I'm not in the mood to do a deep dive.

        I use DuckDuckGo, Firefox in Private Browser, NoScript, ADBlock Plus, uBlock Origin and No Coin.

        I erase all temp files, including bro

  • Google forcing "security" on people it has already stolen identities from.
    • Google is protecting the 'security' on identities that it wants to be the sole exploiter of.

    • Google forcing "security" on people it has already stolen identities from.

      Annnnnnnd? Holy hell - you are correct! I never thought of it this way, but Got-Damn, get that post to +5

  • Certificate issuance has become yet another excuse to indulge rent-seeking behaviors. Just burn it all down.

  • Squatty Potty

    Not Squatty Potty!

  • 1 site in every 878 not working with a browser doesn't seem like much. Have things actually gotten that stable?

    I don't think slashdot has been up 1/100th of the last year. Wasn't there an outage of several days less than a year ago?

    Even Amazon has had significant outages this year. Netflix was down some. No site seems above having an outage. And even if they are, there are still many times a year that my own internet goes out - certainly more often than my electricity goes out.

    The internet is not a stable,

    • Comment removed based on user account deletion
    • TFS : Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa,

      RhettLivingston on 2018-10-09 3:55 (#57449150) : 1 site in every 878 not working with a browser doesn't seem like much.

      Very much my first thought - a relatively small number of incompetents or recalcitrants.

      The really depressing thing about it is, the first actual examination of the numbers comes about 90% down the list of Slashdot comments.

  • A company wants to make the internet safe for its own ads.
    Find a better browser.
  • Let's hope that will help those people who bought hyper-expensive Verisign certs understand that for 1/10 of the price, they had a better working alternative.
  • by DrXym ( 126579 ) on Tuesday October 09, 2018 @03:51AM (#57449634)
    At the end of the day I would trust a site more if I recognised who bestowed trust onto it.

    Why can't banks have other financial institutions sign their certs? Why can't Google, Facebook, Apple et al, hold a key signing party? Why can't lawyers get their certs signed by their bar association? Why can't government websites have certs signed by their governments, which in turn might be signed by other governments?

    It doesn't stop CAs from being signatories too if somebody pays $$$ for them to do it. But when ONLY CAs are allowed to sign certs, the security of sites is brittle and expensive. And often the signature is worthless other than it makes some scary box go away on the browser.

    • Why can't banks have other financial institutions sign their certs?

      Why can't each person individually verify and determine the trust of every request they send to the internet in order to determine their exposure and level of security? Oh wait I know the answer to this: It's fucking stupid.

  • If you don't like the current system of certificate authorities and certificate transparency (which google championed), please tell me a better way for me to trust a site on the internet?
    CAs are now audited and the auditing is getting much better. With certificate transparency I can check, near real time, every EV cert a CA issues. If they issue one in secret there is a high probability they will be caught.

    Symantic should have been dropped a while ago, as they proved to be untrusted. They were just to

Genius is ten percent inspiration and fifty percent capital gains.

Working...