Google Requires Symantec To Adopt 'Certificate Transparency' Following Rogue Certificate Discoveries

[Lucian Armasu]

After Symantec admitted to many more certificates being created for Google and other companies, which were never requested, Google will require Symantec to submit to a third-party audit and adopt the Certificate Transparency log system by June 1, 2016.

Google Requires Symantec To Adopt 'Certificate Transparency' Following Rogue Certificate Discoveries : Read more

 

[hotroderx]

I think google is getting to big for its self. I mean its great they caught this and want to help make things more secure. At the same time who will police google? I mean chrome is a very widely used browser. Its almost everywhere along with google. What happens when google makes risky choices who will step in and say no... Such as Android Security? Android security is in shambles and the hole blaming the carriers thing really holds no water if you look at it unbiased. Special when there willing to trade blows with someone like Symantec over security concerns. At this point do you really think if Google told someone like Verizon. That they will update the phones with security patches on android. Verizon would say no and risk having android yanked from there phone line up? What would they sell? Its pretty much Android, IOS, or Windows.. that it so yea.. So yea whos watching google again? To me coming down on one company and making demands while they them self's have security concerns is kind of the pot calling the kettle black. Though I do admit both issues are major issues when it comes down to it.

 

[jeremy2020]

So you're saying that because security holes exist, we shouldn't have any security? That's a ridiculous idea.

That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.

 

[hotroderx]

Ok that's one way to look at what I wrote but no. What I am trying to say is that company not related to google and with no ties to google should be looking into this. Since goggle doesn't want to clean up the mess that is Android yes Android security is a mess. Then they have no right to tell other companies they have to become more secure lala. That's the problem with google. I remember when the company first started. They where amazing they where the kinda company that you trusted. Now days I feel there is less and less to trust about google. I am positive there are companies dedicated to going out and finding these sorts of problems with web pages and what have you. Google really wanted to what's stopping them from making a donation to one of these companies along with the information then stepping away.

The over all point of my previous post is simply this... at what point does google stop? What happens if they decide they don't like So and So webpage... and block it from google services? Who is to stop them. While I feel its there right as a company to do as they please. At the same time I think it needs to be regulated how big a company can get otherwise. They become so large there in a position to dictate everything that happens ruling over a market.

 

[toadhammer]

So, you're saying that since a company essential "stole" a google.com certificate, someone other than google should decide whether a google product should continue working with the suspect company?

Just trying to see your logic here....

 

[Zarthia AKA Thomas]

Google didnt know that the certificate exsisted and if you think logicly about it, the only way they would of detected this and the other EV is if they where used(They appeared in the CT log after all).

So symantic employess created fake google certificates and used them allegedly for testing purposes on the internet and not in a closed lab. The big question is what where they testing that they need a google certificate for?

 

[Guest]

The bigger issue is can we still trust Symantec after this fiasco. If they can't control their own security, why would we want to trust ours to them?

 

[alextheblue]

So you're saying that because security holes exist, we shouldn't have any security? That's a ridiculous idea.

That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.

That's a terrible analogy.

The issue as I see it is who put Google in charge of controlling certificates and handling certificate transparency? It quickly becomes apparent that Google put themselves in charge, by using their dominant browser marketshare as a weapon to strongarm CAs to submit to their CT system.

So what they're doing is good in most regards, but they're overstepping their bounds here by making themselves the world Certificate Authority Authority (CAA). This really should be handled by a consortium instead. If Google, Apple, Microsoft, Firefox, et al had a joint CT group I wouldn't be as concerned.

 

[therealduckofdeath]

That is a terrible argument, alextheblue. I mean, WTF? No one put Google in charge of controlling certificates. Anybody is allowed to question the state of things, including Google. Maybe you yourself should stop whinging about them publicly as you clearly has a negative bias towards them, no matter what they do?

 

[psiboy]

I think google is getting to big for its self. I mean its great they caught this and want to help make things more secure. At the same time who will police google? I mean chrome is a very widely used browser. Its almost everywhere along with google. What happens when google makes risky choices who will step in and say no... Such as Android Security? Android security is in shambles and the hole blaming the carriers thing really holds no water if you look at it unbiased. Special when there willing to trade blows with someone like Symantec over security concerns. At this point do you really think if Google told someone like Verizon. That they will update the phones with security patches on android. Verizon would say no and risk having android yanked from there phone line up? What would they sell? Its pretty much Android, IOS, or Windows.. that it so yea.. So yea whos watching google again? To me coming down on one company and making demands while they them self's have security concerns is kind of the pot calling the kettle black. Though I do admit both issues are major issues when it comes down to it.

@ hotroderx the idiots at Symantec tell me my own router's ip address is unsafe! I'm sure this lapse with certifates will bring back the CIA backdoor theory in your internet security! Are you running Norton/Symantec products on your pc(s) hotroderx?