back to article No root for you! Google slams door on Symantec certs

The four-month row between Google and Symantec over SSL certificate issuing has just gone nuclear, with the Chocolate Factory making good on its threats and beginning a blockade. "Over the course of the coming weeks, Google will be moving to distrust the 'Class 3 Public Primary CA' root certificate operated by Symantec …

Silver badge

No Certs for You!

Love the Soup Nazi reference...

2
0
Anonymous Coward

My private 8192 bit IDEA self-signed cert is also seen as untrustworthy by Chrome, even though I'm the only one using it.

3
0
Flame

Pesky Certs

Yep... I have the same problem with my Sec-P521 and Curve-25519 certs...

Infact not being able to install your own Root in Android is fast becoming a PITA and sucks... mind you so does not having 'administrator' (root) rights over a device that you purchased and own outright... argh!

M

0
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Silver badge

What's the problem?

Symantec tells Google they're retiring a cert. Google removes the certs from their gear.

What am I missing, what's the issue? What did I miss?

1
0
Silver badge

Re: What's the problem?

Follow the link. Symantec generates fake certificates for testing, development, and other "non-public" uses. Those leaked once and Google is worried that they will leak again. If I read between the lines, I think that Google suspects Symantec of being forced to create them for covert spying. That would put Google's hard-earned hoard of extremely personal and extremely valuable data at risk.

14
0
Silver badge

Re: What's the problem?

Or covert spying for some 3-letter agencies perhaps.

2
1

Re: What's the problem?

So why are Symantec so bothered when they say they are removing these certs...sometime...soonish..anyway...?

0
0
Anonymous Coward

Re: What's the problem?

They are saying that they are continuing using the certificates for non-public uses cases. ... so the retirement is only for public use cases like generating certificates to you, but not for the other non-public use case

0
0

Re: What's the problem?

Does that include M&S ?

1
1
Anonymous Coward

Google alarmist?

Symantec are million times worse, I have read their recent scare stories about android security. They destroyed all their credibility

6
1
Silver badge
Thumb Down

Re: Google alarmist?

"Symantec are million times worse, I have read their recent scare stories about android security."

Similarly, I read their recent scare story about OS X. One attack they emphasised could of course be remedied by using their products, but they managed to omit the simple truth that if you don't have Java installed, that attack is a non-issue.

Java hasn't been a part of the default installation of OS X for several years now.

I rest the case, M'Lud.

1
1
Silver badge

Re: Google alarmist?

If one uses smartphones as an enhanced cellphone and limit one's surfing to minimal sites and never use it for shopping or banking most of the problems more or less disappear.

0
1
Alert

Re: Google alarmist?

> If one uses smartphones as an enhanced cellphone and limit

> one's surfing to minimal sites and never use it for shopping or

> banking most of the problems more or less disappear.

That is far from true and an example of that people generally don't understand security issues. Lacing proper security your device can be hijacked remotely and the hijacker can impersonate you for example in mail and social networks.

0
0

Why should a third party exclusively decide what certificates I can use?

1
3
Silver badge

You can tell Chrome to trust any certificate you want. Most people prefer to leave it to someone who knows what they are doing.

12
0
Linux

this...

and while we're at it if you are worried about catching an ITD, here's a really nice isolation tool for all Linux kernels > 3.X.

Seriously, I am surprised this jail concept is not rolled into a distro yet...

P.

2
0
Silver badge

Re: this...

"Seriously, I am surprised this jail concept is not rolled into a distro yet..."

There are probably a number of these sorts of tools. After all, they're just a glorified version of LD_PRELOAD - just trap library calls and reroute or deny them as applicable.

0
0
Silver badge

Re: this...

"Seriously, I am surprised this jail concept is not rolled into a distro yet..."

From the linked site: "June 2015 – Firejail included in Debian."

0
0
Linux

Re: this...

I should clarify. I did "apt-get firejail", and read about the services it limits.

I was suggesting that it should somehow be integrated as a default such that to *not* use it, you use a tool.

Sandboxing "for free" would seem to be a generally good idea.

To add one more data point, this is how I would run Android apps on the (linux) desktop.

Maybe that would plug a hole in the desktop-ecosystem....?

P.

0
0
Gold badge
Facepalm

Well, that would work, if Google knew what they were doing. Their products positively encourage ignoring security warnings, 'cos they're so bloody anal about everything that the damned things appear all the time.

My favourite piece of arsehattery (which sums up Google's approach in this area) is Chrome's refusal to use SSL when the server's certificate fails to jump through all of Google's hoops, forcing fallback to an open connection. This is more secure how exactly.....?

0
0

Symantec is and always has been a crap company, doing a half-assed job at whatever endeavor they've belatedly taken up.

I'm surprised they aren't manufacturing unfiltered printer ink yet.

8
0
Silver badge

"I'm surprised they aren't manufacturing unfiltered printer ink yet."

Completely OT but I think you may have stumbled on a wonderful marketing opportunity here. Unfiltered printer ink. To be sold in the cold cabinet at Waitrose and other upmarket outlets, and also to those people who wish to print out their naughty pictures and want uncensored ink.

Anybody know any rich and gullible VCs?

4
0
Anonymous Coward

Symantec is and always has been a crap company...

The largest step-function improvement in my tech lifestyle was uninstalling Norton AntiVirus.

It was like moving from a potholed province to somewhere with smooth pavement.

Those scumbags owe me hundreds of hours of troubleshooting their crapware.

They can all burn in a special section of hell as far as I'm concerned.

Bloody sockcutters.

6
0
Silver badge
Joke

Re: "I'm surprised they aren't manufacturing unfiltered printer ink yet."

@Voyna i Mor

To be sold in the cold cabinet at Waitrose and other upmarket outlets, and also to those people who wish to print out their naughty pictures and want uncensored ink.

just checked.

http://www.waitrose.com/shop/HeaderSearchCmd?searchTerm=Duchy+Originals+Extra+Virgin+Organic+Unfiltered+Printer+Ink&defaultSearch=GR&search=

You searched for Duchy Originals Extra Virgin Organic Unfiltered Printer Ink: (0 results found)

0
0
Anonymous Coward

Duchy Originals Extra Virgin Organic Unfiltered Printer Ink:

(Which *must* be one of the weirdest post titles ever)

Ah, the "cleverness" of a keyword approach to searching, just bring back anything with a keyword, rather than understanding the question.

There are a few queries which I have discovered are "unGoogleable" - Google never returns the correct answer because it doesn't comprehend the question.

"What is the Latin word for spelling" is one - try and Google it - you'll have loads of hits about sites with latin spellings of words ,,,,

0
0
Silver badge
Headmaster

Your GoogleFu is weak

Try doing it as a Boolean search, then you get your answers.

0
0
x 7
Silver badge

so when are google going to block such nasties as certs originating from China, or Russia, Turkmenistan......

0
1
Anonymous Coward

so when are google going to block such nasties as certs from China, Russia, Turkmenistan

Are you referring to any actual cases of security issues or are you just trying to outdo Trump ?

We are talking about Root Certificates not certificates issued to individuals -- people with Root Certificates have a special trusted status so that they can verify all other certificates.

1
0
Silver badge
Headmaster

Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

"or are you just trying to outdo Trump ?"

You mean to trump Trump?

0
0
x 7
Silver badge

Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

@soren

"We are talking about Root Certificates"

exactly.......so given recent news articles re government hacking and fake government mandated certs, blocking any from Commieland seems a good idea

0
1
Silver badge
FAIL

Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

"blocking any from Commieland seems a good idea"

Macarthy would be proud of you.

1
0
Anonymous Coward

Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

"You mean to trump Trump?"

Nelly the Elephant goes one better and Trumps Trump Trump.

0
0
x 7
Silver badge

Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

"Macarthy would be proud of you."

yes, Macarthy was a great upholder of human rights and freedoms. He knew what those red commie bastards were up to.......

0
0
Anonymous Coward

Yawn... this AGAIN?

RFC 6698 -- put your certificate hash in DNS

2
0
Anonymous Coward

Re: Yawn... this AGAIN?

The only problem is that RFC6698 (DANE / TLSA) is not actually yet supported by any browser. Otherwise, I love the idea.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017