Google Requires Symantec To Adopt 'Certificate Transparency' Following Rogue Certificate Discoveries

Status
Not open for further replies.

hotroderx

Distinguished
May 15, 2008
343
0
18,810
5
I think google is getting to big for its self. I mean its great they caught this and want to help make things more secure. At the same time who will police google? I mean chrome is a very widely used browser. Its almost everywhere along with google. What happens when google makes risky choices who will step in and say no... Such as Android Security? Android security is in shambles and the hole blaming the carriers thing really holds no water if you look at it unbiased. Special when there willing to trade blows with someone like Symantec over security concerns. At this point do you really think if Google told someone like Verizon. That they will update the phones with security patches on android. Verizon would say no and risk having android yanked from there phone line up? What would they sell? Its pretty much Android, IOS, or Windows.. that it so yea.. So yea whos watching google again? To me coming down on one company and making demands while they them self's have security concerns is kind of the pot calling the kettle black. Though I do admit both issues are major issues when it comes down to it.
 

jeremy2020

Distinguished
May 12, 2011
73
0
18,630
0
So you're saying that because security holes exist, we shouldn't have any security? That's a ridiculous idea.

That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.
 

hotroderx

Distinguished
May 15, 2008
343
0
18,810
5
Ok that's one way to look at what I wrote but no. What I am trying to say is that company not related to google and with no ties to google should be looking into this. Since goggle doesn't want to clean up the mess that is Android yes Android security is a mess. Then they have no right to tell other companies they have to become more secure lala. That's the problem with google. I remember when the company first started. They where amazing they where the kinda company that you trusted. Now days I feel there is less and less to trust about google. I am positive there are companies dedicated to going out and finding these sorts of problems with web pages and what have you. Google really wanted to what's stopping them from making a donation to one of these companies along with the information then stepping away.

The over all point of my previous post is simply this... at what point does google stop? What happens if they decide they don't like So and So webpage... and block it from google services? Who is to stop them. While I feel its there right as a company to do as they please. At the same time I think it needs to be regulated how big a company can get otherwise. They become so large there in a position to dictate everything that happens ruling over a market.
 

toadhammer

Distinguished
Nov 2, 2012
112
2
18,685
0
So, you're saying that since a company essential "stole" a google.com certificate, someone other than google should decide whether a google product should continue working with the suspect company?

Just trying to see your logic here....
 

Zarthia AKA Thomas

Reputable
Oct 29, 2015
1
0
4,510
0
Google didnt know that the certificate exsisted and if you think logicly about it, the only way they would of detected this and the other EV is if they where used(They appeared in the CT log after all).

So symantic employess created fake google certificates and used them allegedly for testing purposes on the internet and not in a closed lab. The big question is what where they testing that they need a google certificate for?
 
G

Guest

Guest
The bigger issue is can we still trust Symantec after this fiasco. If they can't control their own security, why would we want to trust ours to them?
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2
So you're saying that because security holes exist, we shouldn't have any security? That's a ridiculous idea.

That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.
That's a terrible analogy.

The issue as I see it is who put Google in charge of controlling certificates and handling certificate transparency? It quickly becomes apparent that Google put themselves in charge, by using their dominant browser marketshare as a weapon to strongarm CAs to submit to their CT system.

So what they're doing is good in most regards, but they're overstepping their bounds here by making themselves the world Certificate Authority Authority (CAA). This really should be handled by a consortium instead. If Google, Apple, Microsoft, Firefox, et al had a joint CT group I wouldn't be as concerned.
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160
70
That is a terrible argument, alextheblue. I mean, WTF? No one put Google in charge of controlling certificates. Anybody is allowed to question the state of things, including Google. Maybe you yourself should stop whinging about them publicly as you clearly has a negative bias towards them, no matter what they do?
 

psiboy

Distinguished
Jun 8, 2007
180
1
18,695
3
I think google is getting to big for its self. I mean its great they caught this and want to help make things more secure. At the same time who will police google? I mean chrome is a very widely used browser. Its almost everywhere along with google. What happens when google makes risky choices who will step in and say no... Such as Android Security? Android security is in shambles and the hole blaming the carriers thing really holds no water if you look at it unbiased. Special when there willing to trade blows with someone like Symantec over security concerns. At this point do you really think if Google told someone like Verizon. That they will update the phones with security patches on android. Verizon would say no and risk having android yanked from there phone line up? What would they sell? Its pretty much Android, IOS, or Windows.. that it so yea.. So yea whos watching google again? To me coming down on one company and making demands while they them self's have security concerns is kind of the pot calling the kettle black. Though I do admit both issues are major issues when it comes down to it.
@ hotroderx the idiots at Symantec tell me my own router's ip address is unsafe! I'm sure this lapse with certifates will bring back the CIA backdoor theory in your internet security! Are you running Norton/Symantec products on your pc(s) hotroderx?
 
Status
Not open for further replies.

ASK THE COMMUNITY