Google Doesn't Trust Symantec Security Checks

[cageymaru]

Google Chrome will start rejecting some certificates issued from Symantec on the basis that Symantec isn't validating them correctly. According to a Google blog post, it started as 127 certificates and then grew to some 30,000 standard and extended certificates being suspect. Symantec is very upset and called Google's claims, "exaggerated and irresponsible." They also want to know why they are being singled out when others have been accused of doing the same. The end result is that Google Chrome will start warning users of potential certification issues at websites using Symantec certificates and some will even be blocked by the browser.

Regardless of Symantec's feelings, they should take responsibility and fix the issue. All of this hoping that it will be swept under the rug and forgotten isn't going to fix the issue. I think Google is in the right in regards to this matter.

As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.

On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.

These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.

 

[Chupachup]

I love that Symantec is taking the elementary school approach, pointing the finger at others doing the same thing, while not wanting to accept responsibility for their own actions or lack thereof.

If they'd just acknowledge they have an issue, accept Google is protecting its users and simply work on fixing their problem, they'd seem more a bit more wise in the matter.

 

[cyclone3d]

Symantec can DIAF.

 

[Jagger100]

I love that Symantec is taking the elementary school approach, pointing the finger at others doing the same thing, while not wanting to accept responsibility for their own actions or lack thereof.

If they'd just acknowledge they have an issue, accept Google is protecting its users and simply work on fixing their problem, they'd seem more a bit more wise in the matter.

It's like if on a section of highway only blacks are pulled over for speeding, it would be considered a problem. Selective enforcement is an abuse in and of itself aside from what Symantec is doing. Symantec and others on the list are guilty for their thing, Google is guilty for their thing.

 

[dgingeri]

Symantec is a poorly managed company that cares very little for quality or support. Every time they've bought out a company or product line, it has ended up in far worse shape in short order. As far as I'm concerned, Google can move forward with this plan, and we'll be better off for it.

 

[ir0nw0lf]

 

[Prisoner849]

They also want to know why they are being singled out when others have been accused of doing the same.

In other playground news, Billy threw sand at Jimmy.

 

[Mchart]

Signature based detection is quickly becoming irrelevant.

 

[Exavior]

Signature based detection is quickly becoming irrelevant.

and water is wet at room temp. While both of these are true not sure what this has to do with the topic. We are talking about the branch if Symantec that was formerly known to the world as Verisign before they were purchased by Symantec and who issues many SSL certs used on sites and other secure connections.

 

[iamjanco]

Interesting... (only because of the subject matter). I noticed the cert lock was broken in the address bar for this thread, and checked out the issue. Turns out mixed content is being served on the page by way of a butt-hurt detector.

 

[T_A]

Nothing new here, im using Symantec certificate for our company's ssl vpn portal and chrome gives a cert warning, been like that for a long time.

There was an incident at Symantec sometime ago where some employee issues a certificate for google.com he wasnt supposed to and that really pissed Google

 

[NemesisX]

Symantec sucks giant monkey balls and always will. But so does Google.

 

[Chupachup]

It's like if on a section of highway only blacks are pulled over for speeding, it would be considered a problem. Selective enforcement is an abuse in and of itself aside from what Symantec is doing. Symantec and others on the list are guilty for their thing, Google is guilty for their thing.

What if all the drivers are the same color (internet security firms) and one appears to be driving erratically more often than the rest? That driver should become a principal target for enforcement. It doesn't mean that other offenders don't exist or that they aren't targeted for enforcement. It simply means they erred less frequently thereby attracting less attention than the standout.

If an individual using Chrome hits this speed bump, they merely have to click on Edge and Shazam! They're in like Flint and potentially lacking just as much protection!

There's no rule that Google has to block all CAs questionable certificates at the same time or even who should be first when such a situation arises. And who is to say, Google is or isn't targeting any of the others, besides Google? Certainly not Symantec!

There also seems to be no word on how many of those other CAs certificates are alleged to have been incorrectly issued (alone or in comparison), whether those CAs have been in communication with Google and are actively coordinating their remediation activities with them and not a glimmer of how high profile the intended use of the incorrect certificates is, i.e., Mom and Pop small businesses vs. major players.

Based on history (below) though, I doubt Symantec was blindsided by Google's findings and more caught off guard while they were dragging their feet in addressing the problem. They seem to have a history of the latter.

It shouldn't have been a problem to begin with given Symantecs "extensive remediation measures" and more than a years notice that this type of action by Google could and would be taken in such instances in order to protect Google product users from potential harm.

Google Security Blog - October 2015

Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.

It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.

After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.

 

[dgz]

Google picking winners and losers again. Say it ain't so

 

[B00nie]

I haven't trusted Symantec with anything for ages. In my book it's bloated and corrupt.

 

[oldmanbal]

I Started to notice this last week when i was browsing my usual spread of sites and noticed warning icons in the top right corner of the address bar saying that the sites semantic credentials aren't trustworthy. I didn't know what it was all about till now.

 

[oldmanbal]

Symantec sucks giant monkey balls and always will. But so does Google.

I read in the bathroom stall that Microsoft also has cooties, be wary of that one too.

 

[NemesisX]

I read in the bathroom stall that Microsoft also has cooties, be wary of that one too.

I will be no the look out.

 

[Wolf_Tech]

This comming from the same company that allows extentions to run in the background if there browser is closed by default. Chrome is great for ID10T's but I personally do not run it. I don't like the fact that it installs two google updates one called googleupdate the other called googleupdatem in services. And they never explain what each one does. I find it interesting that if you love google and use all the nice things they have they share all the info with third parties without your consent. Most high end security places will not allow chrome anywhere in the offices.

Just My 2 cents. You can flame me all you want. I just go by experience.

 

[Chupachup]

I don't like the fact that it installs two google updates one called googleupdate the other called googleupdatem in services.

Let me preface by stating, I'm not flaming you

GoogleUpdate sends information, such as version number, language, operating system, and other installation or update-related details, back to Google servers so installed Google software may be automatically updated with the most current release in the background. One is run when at start up and the service maintains checks at regular intervals, i.e. as a task.

It ensures users have the most up-to-date and secure release without the bother of having to check, download and install it themselves. When it comes to the mostly unenlightened masses using these products, this is a bonus. Although they could allow us to manage it better, this isn't any different from how Apple or Microsoft maintain their software.

Personally, I like to keep tabs on updates and disable Google Update in startup and do the same to the service. If a Google app requires an update I either re-enable the service or download a new package and install it myself. I used to manage OS updates in a similar manner before Windows 10 forced them

As for Chrome not being allowed in various environments, I can tell you from my experience, it boils down to reasons of compatibility and reduced complexity in the production environment.

A single browser strategy can...

• Eliminate the need to build, optimize, test and maintain, in-house web applications for multiple browser platforms.
• Reduce the complexity of creating, testing and maintaining, multiple client build packages on corporate distribution servers.
• Reduce the complexity of administering and supporting the production environment.
  
• Simplify training and support of end users.

Allowing only one browser to be used streamlines every part of the business associated with it and in turn reduces costs. So, beit Microsoft, Apple or {insert Linux distro}, it makes sense to use the browser bundled with the OS or simply the one best suited to the customer's environment.

 

[D4rkn3ss]

yeah well, it was nice and all, but its time for them to go now, buh-bye, they can still live from the ads from their google maps.

some relevant links: https://duckduckgo.com/ https://www.minds.com/ https://vid.me/

 

[B00nie]

A single browser strategy can...

• Eliminate the need to build, optimize, test and maintain, in-house web applications for multiple browser platforms.
• Reduce the complexity of creating, testing and maintaining, multiple client build packages on corporate distribution servers.
• Reduce the complexity of administering and supporting the production environment.
  
• Simplify training and support of end users.

You forgot the 'drive people nuts if that browser is IE' part.