back to article No root for you! Google slams door on Symantec certs

The four-month row between Google and Symantec over SSL certificate issuing has just gone nuclear, with the Chocolate Factory making good on its threats and beginning a blockade. "Over the course of the coming weeks, Google will be moving to distrust the 'Class 3 Public Primary CA' root certificate operated by Symantec …

  1. chivo243 Silver badge

    No Certs for You!

    Love the Soup Nazi reference...

  2. Anonymous Coward
    Anonymous Coward

    My private 8192 bit IDEA self-signed cert is also seen as untrustworthy by Chrome, even though I'm the only one using it.

    1. Mike Tubby
      Flame

      Pesky Certs

      Yep... I have the same problem with my Sec-P521 and Curve-25519 certs...

      Infact not being able to install your own Root in Android is fast becoming a PITA and sucks... mind you so does not having 'administrator' (root) rights over a device that you purchased and own outright... argh!

      M

  3. streaky

    What's the problem?

    Symantec tells Google they're retiring a cert. Google removes the certs from their gear.

    What am I missing, what's the issue? What did I miss?

    1. Kevin McMurtrie Silver badge

      Re: What's the problem?

      Follow the link. Symantec generates fake certificates for testing, development, and other "non-public" uses. Those leaked once and Google is worried that they will leak again. If I read between the lines, I think that Google suspects Symantec of being forced to create them for covert spying. That would put Google's hard-earned hoard of extremely personal and extremely valuable data at risk.

      1. a_yank_lurker

        Re: What's the problem?

        Or covert spying for some 3-letter agencies perhaps.

        1. Paul Johnston

          Re: What's the problem?

          Does that include M&S ?

    2. CommanderGalaxian

      Re: What's the problem?

      So why are Symantec so bothered when they say they are removing these certs...sometime...soonish..anyway...?

      1. Anonymous Coward
        Anonymous Coward

        Re: What's the problem?

        They are saying that they are continuing using the certificates for non-public uses cases. ... so the retirement is only for public use cases like generating certificates to you, but not for the other non-public use case

  4. Anonymous Coward
    Anonymous Coward

    Google alarmist?

    Symantec are million times worse, I have read their recent scare stories about android security. They destroyed all their credibility

    1. Wensleydale Cheese
      Thumb Down

      Re: Google alarmist?

      "Symantec are million times worse, I have read their recent scare stories about android security."

      Similarly, I read their recent scare story about OS X. One attack they emphasised could of course be remedied by using their products, but they managed to omit the simple truth that if you don't have Java installed, that attack is a non-issue.

      Java hasn't been a part of the default installation of OS X for several years now.

      I rest the case, M'Lud.

    2. a_yank_lurker

      Re: Google alarmist?

      If one uses smartphones as an enhanced cellphone and limit one's surfing to minimal sites and never use it for shopping or banking most of the problems more or less disappear.

      1. Anonymous Coward
        Alert

        Re: Google alarmist?

        > If one uses smartphones as an enhanced cellphone and limit

        > one's surfing to minimal sites and never use it for shopping or

        > banking most of the problems more or less disappear.

        That is far from true and an example of that people generally don't understand security issues. Lacing proper security your device can be hijacked remotely and the hijacker can impersonate you for example in mail and social networks.

  5. Cincinnataroo

    Why should a third party exclusively decide what certificates I can use?

    1. jonathanb Silver badge

      You can tell Chrome to trust any certificate you want. Most people prefer to leave it to someone who knows what they are doing.

      1. phil dude
        Linux

        this...

        and while we're at it if you are worried about catching an ITD, here's a really nice isolation tool for all Linux kernels > 3.X.

        Seriously, I am surprised this jail concept is not rolled into a distro yet...

        P.

        1. Anonymous Coward
          Anonymous Coward

          Re: this...

          "Seriously, I am surprised this jail concept is not rolled into a distro yet..."

          There are probably a number of these sorts of tools. After all, they're just a glorified version of LD_PRELOAD - just trap library calls and reroute or deny them as applicable.

        2. Doctor Syntax Silver badge

          Re: this...

          "Seriously, I am surprised this jail concept is not rolled into a distro yet..."

          From the linked site: "June 2015 – Firejail included in Debian."

          1. phil dude
            Linux

            Re: this...

            I should clarify. I did "apt-get firejail", and read about the services it limits.

            I was suggesting that it should somehow be integrated as a default such that to *not* use it, you use a tool.

            Sandboxing "for free" would seem to be a generally good idea.

            To add one more data point, this is how I would run Android apps on the (linux) desktop.

            Maybe that would plug a hole in the desktop-ecosystem....?

            P.

      2. TeeCee Gold badge
        Facepalm

        Well, that would work, if Google knew what they were doing. Their products positively encourage ignoring security warnings, 'cos they're so bloody anal about everything that the damned things appear all the time.

        My favourite piece of arsehattery (which sums up Google's approach in this area) is Chrome's refusal to use SSL when the server's certificate fails to jump through all of Google's hoops, forcing fallback to an open connection. This is more secure how exactly.....?

  6. Six_Degrees

    Symantec is and always has been a crap company, doing a half-assed job at whatever endeavor they've belatedly taken up.

    I'm surprised they aren't manufacturing unfiltered printer ink yet.

    1. Anonymous Coward
      Anonymous Coward

      "I'm surprised they aren't manufacturing unfiltered printer ink yet."

      Completely OT but I think you may have stumbled on a wonderful marketing opportunity here. Unfiltered printer ink. To be sold in the cold cabinet at Waitrose and other upmarket outlets, and also to those people who wish to print out their naughty pictures and want uncensored ink.

      Anybody know any rich and gullible VCs?

      1. Fruit and Nutcase Silver badge
        Joke

        Re: "I'm surprised they aren't manufacturing unfiltered printer ink yet."

        @Voyna i Mor

        To be sold in the cold cabinet at Waitrose and other upmarket outlets, and also to those people who wish to print out their naughty pictures and want uncensored ink.

        just checked.

        http://www.waitrose.com/shop/HeaderSearchCmd?searchTerm=Duchy+Originals+Extra+Virgin+Organic+Unfiltered+Printer+Ink&defaultSearch=GR&search=

        You searched for Duchy Originals Extra Virgin Organic Unfiltered Printer Ink: (0 results found)

        1. Anonymous Coward
          Anonymous Coward

          Duchy Originals Extra Virgin Organic Unfiltered Printer Ink:

          (Which *must* be one of the weirdest post titles ever)

          Ah, the "cleverness" of a keyword approach to searching, just bring back anything with a keyword, rather than understanding the question.

          There are a few queries which I have discovered are "unGoogleable" - Google never returns the correct answer because it doesn't comprehend the question.

          "What is the Latin word for spelling" is one - try and Google it - you'll have loads of hits about sites with latin spellings of words ,,,,

          1. MrDamage Silver badge
            Headmaster

            Your GoogleFu is weak

            Try doing it as a Boolean search, then you get your answers.

    2. Anonymous Coward
      Anonymous Coward

      Symantec is and always has been a crap company...

      The largest step-function improvement in my tech lifestyle was uninstalling Norton AntiVirus.

      It was like moving from a potholed province to somewhere with smooth pavement.

      Those scumbags owe me hundreds of hours of troubleshooting their crapware.

      They can all burn in a special section of hell as far as I'm concerned.

      Bloody sockcutters.

  7. x 7

    so when are google going to block such nasties as certs originating from China, or Russia, Turkmenistan......

    1. Anonymous Coward
      Anonymous Coward

      so when are google going to block such nasties as certs from China, Russia, Turkmenistan

      Are you referring to any actual cases of security issues or are you just trying to outdo Trump ?

      We are talking about Root Certificates not certificates issued to individuals -- people with Root Certificates have a special trusted status so that they can verify all other certificates.

      1. PNGuinn
        Headmaster

        Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

        "or are you just trying to outdo Trump ?"

        You mean to trump Trump?

        1. Anonymous Coward
          Anonymous Coward

          Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

          "You mean to trump Trump?"

          Nelly the Elephant goes one better and Trumps Trump Trump.

      2. x 7

        Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

        @soren

        "We are talking about Root Certificates"

        exactly.......so given recent news articles re government hacking and fake government mandated certs, blocking any from Commieland seems a good idea

        1. Anonymous Coward
          FAIL

          Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

          "blocking any from Commieland seems a good idea"

          Macarthy would be proud of you.

          1. x 7

            Re: so when are google going to block such nasties as certs from China, Russia, Turkmenistan

            "Macarthy would be proud of you."

            yes, Macarthy was a great upholder of human rights and freedoms. He knew what those red commie bastards were up to.......

  8. Anonymous Coward
    Anonymous Coward

    Yawn... this AGAIN?

    RFC 6698 -- put your certificate hash in DNS

    1. Anonymous Coward
      Anonymous Coward

      Re: Yawn... this AGAIN?

      The only problem is that RFC6698 (DANE / TLSA) is not actually yet supported by any browser. Otherwise, I love the idea.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like