Symantec Responds To Google Distrusting Its Certificates

Status
Not open for further replies.

Lkaos

Honorable
Dec 13, 2014
400
0
10,860
Google should just kill the said certificates and make they ask for the certification again...Dont take Symantec trying to force the certificates acceptance. It was Symantec's fault!
 

problematiq

Reputable
Dec 8, 2015
443
0
4,810
This sounds a lot like our conversations to vendors, "Us: you screwed up and almost compromised the entire system, we are switching to someone else. Them: Ohhh.. it wasn't THAT bad, you were not compromised.. probably.. Plus we are pretty sure it's all your fault. Us: Riiighht... bye bye."
 

kenjitamura

Distinguished
Jan 3, 2012
195
3
18,695
Symantec is quickly becoming synonymous with "grossly negligent" and "highly insecure". Google also skewered them over their antivirus software last year:

"Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years"
 

ammaross

Distinguished
Jan 12, 2011
269
0
18,790
At least Google is being reasonable with their mitigation option. Incrementally shorter trust periods is a good thing. Let's Encrypt has been working in that direction since inception, and it's free.
https://letsencrypt.org/
 
There is an easy solution. If Google Chrome says the certificate is invalid, all they have to do is "add an exception" and then they can access the site. It will still use https and be encrypted. The only purpose of an SSL certificate is to basically say "this site is legitimate" but in a work/business environment I would think people would know where they are going and if it's safe (hopefully). Additionally, having a certificate doesn't necessarily even mean the site is safe. Your data can still be compromised. I have acquired a certificate (I think it was from Comodo) for my website before, and I have to say they have absolutely no idea what I can do with my website even though I have said certificate saying it is safe.

SSL certificates have always been somewhat of a money grab IMO. It doesn't actually change the connection or encryption. It's more of a business gimmick of "give us money and we'll give you a certificate saying your site is safe and friendly". It gets even more crazy, if you want your website to have that "green lock" in the URL address bar of your web browser, you have to pay a ton of money to the certificate company, I'm talking like over $100,000 from what I recall. Big corporations like microsoft.com will have this.

kDZiak1.png


TLDR certificates are a money grab that don't really changer the connection at all. They're supposed to mean a site is legit and safe but undoubtedly an unsafe site can surely get a certificate. Idealistically the certificate companies should be looking at the sites that have their certificates to ensure the safety, but I don't think that happens.
 

hoofhearted

Distinguished
Apr 9, 2004
1,020
0
19,280
If a jack the hack redirects DNS to point to a copy of said website, he would have to steal the private key to get out of making bob the knob having to add an exception.
 

problematiq

Reputable
Dec 8, 2015
443
0
4,810


That is not how it works brochacho.
 
Status
Not open for further replies.