Symantec Responds To Google Distrusting Its Certificates

[Guest]

The company said in a blog post that it's met with Google to discuss the issue several times and that its customers have said the change would "cause significant business disruption and additional expense."

Symantec Responds To Google Distrusting Its Certificates : Read more

 

[derekullo]

I'm guessing the meeting between Symantec and Google went something like this:

Symantec: Oh No You Didn't.

Google: Oh Yes We Did.

 

[brucek2]

Or couldn't all those customers easily purchase a certificate from a more reputable vendor?

 

[Lkaos]

Google should just kill the said certificates and make they ask for the certification again...Dont take Symantec trying to force the certificates acceptance. It was Symantec's fault!

 

[problematiq]

This sounds a lot like our conversations to vendors, "Us: you screwed up and almost compromised the entire system, we are switching to someone else. Them: Ohhh.. it wasn't THAT bad, you were not compromised.. probably.. Plus we are pretty sure it's all your fault. Us: Riiighht... bye bye."

 

[ingtar33]

I'm actually disappointed that google or ANY web browser accepts Symantec certs when there are wrongly issues certs out there. Doesn't this invalidate the whole HTTPS security standard?

 

[kenjitamura]

Symantec is quickly becoming synonymous with "grossly negligent" and "highly insecure". Google also skewered them over their antivirus software last year:

"Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years"

 

[ammaross]

At least Google is being reasonable with their mitigation option. Incrementally shorter trust periods is a good thing. Let's Encrypt has been working in that direction since inception, and it's free.
https://letsencrypt.org/

 

[turkey3_scratch]

There is an easy solution. If Google Chrome says the certificate is invalid, all they have to do is "add an exception" and then they can access the site. It will still use https and be encrypted. The only purpose of an SSL certificate is to basically say "this site is legitimate" but in a work/business environment I would think people would know where they are going and if it's safe (hopefully). Additionally, having a certificate doesn't necessarily even mean the site is safe. Your data can still be compromised. I have acquired a certificate (I think it was from Comodo) for my website before, and I have to say they have absolutely no idea what I can do with my website even though I have said certificate saying it is safe.

SSL certificates have always been somewhat of a money grab IMO. It doesn't actually change the connection or encryption. It's more of a business gimmick of "give us money and we'll give you a certificate saying your site is safe and friendly". It gets even more crazy, if you want your website to have that "green lock" in the URL address bar of your web browser, you have to pay a ton of money to the certificate company, I'm talking like over $100,000 from what I recall. Big corporations like microsoft.com will have this.

TLDR certificates are a money grab that don't really changer the connection at all. They're supposed to mean a site is legit and safe but undoubtedly an unsafe site can surely get a certificate. Idealistically the certificate companies should be looking at the sites that have their certificates to ensure the safety, but I don't think that happens.

 

[hoofhearted]

If a jack the hack redirects DNS to point to a copy of said website, he would have to steal the private key to get out of making bob the knob having to add an exception.

 

[problematiq]

There is an easy solution. If Google Chrome says the certificate is invalid, all they have to do is "add an exception" and then they can access the site. It will still use https and be encrypted. The only purpose of an SSL certificate is to basically say "this site is legitimate" but in a work/business environment I would think people would know where they are going and if it's safe (hopefully). Additionally, having a certificate doesn't necessarily even mean the site is safe. Your data can still be compromised. I have acquired a certificate (I think it was from Comodo) for my website before, and I have to say they have absolutely no idea what I can do with my website even though I have said certificate saying it is safe.

SSL certificates have always been somewhat of a money grab IMO. It doesn't actually change the connection or encryption. It's more of a business gimmick of "give us money and we'll give you a certificate saying your site is safe and friendly". It gets even more crazy, if you want your website to have that "green lock" in the URL address bar of your web browser, you have to pay a ton of money to the certificate company, I'm talking like over $100,000 from what I recall. Big corporations like microsoft.com will have this.

TLDR certificates are a money grab that don't really changer the connection at all. They're supposed to mean a site is legit and safe but undoubtedly an unsafe site can surely get a certificate. Idealistically the certificate companies should be looking at the sites that have their certificates to ensure the safety, but I don't think that happens.

That is not how it works brochacho.

 

[Brian_231]

Interesting that Google announced their own Root authority...