from Hacker News

Symantec Backs Its CA

by andygambles on 3/24/17, 9:52 PM with 104 comments

  • by c3t0 on 3/24/17, 11:20 PM

    > This action was unexpected, and we believe the blog post was irresponsible.

    Problems since Oct 2015 and the action unexpected? see 1)

    > We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

    Symantec took no ownership of the issue. Snarky underhanded remarks are not a professional way to address shortcomings in managing their product.

    > For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm.

    Per Chrome's team an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years see 2)

    Summary: No ownership and no action plan conveyed in Symantec's 421 word message.

    1) https://security.googleblog.com/2015/10/sustaining-digital-c...

    2) https://groups.google.com/a/chromium.org/forum/#!msg/blink-d...

  • by Manishearth on 3/25/17, 1:17 AM

    > Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.

    Lol.

    This is like being court-ordered to do community support and then bragging about all the volunteering you do. Symantec was forced by Google to do CT. See https://security.googleblog.com/2015/10/sustaining-digital-c... , specifically:

    > Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.

    (By the end of this year, all CAs will be forced to do CT, but Symantec was forced into this last year, because of the stupid shit they keep doing)

  • by hackcasual on 3/25/17, 12:01 AM

    The TL;DR of this whole thing

    * Root CA practice allows delegating validation to 3rd parties

    * However, the Root CA must accept all responsibility for any mis-validation the 3rd parties do. No throwing them under the bus

    * Symantec delegates validation to 4 different companies to serve local markets

    * Said companies fail to adequately validate domain ownership

    * Symantec attempts to throw them under the bus

    Further compounding the issue is that there is no way to separate the certificates that had more rigorous validation than the ones validated by these 4 companies

  • by orless on 3/25/17, 12:27 AM

    This is probably intended as damage control, but I think this response will do Symantec more bad than good. No problem description, no explanation of consequences for customers, no acknowledgment of the failure no action plan, no schedule, no options, nothing. As a reader if I'm already aware of the problem, this response provided zero substance to counter Google. If I'm unaware then I'm welcome to google what it's all about, land on the blink-dev post, emotionless and factual. The whole issue is about trust, but so far Symantec does not seem to act responsibly which does not help to re-establish trust.

    I also wonder what the exact consequences will be (Symantec post fails to explain this). I mean, which big sites will be hit? When? For how many users?

  • by leeoniya on 3/24/17, 11:03 PM

    > Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.

    What they will vigorously defend is disruption to their reputation and their bottom line. What benefit does a business get from Symantec that they do not get from Let's Encrypt? EV?

  • by 0x0 on 3/24/17, 11:20 PM

    With Symantec joining the ranks of StartSSL and WoSign, they can hardly claim to be "singled out".

    PS: It's funny that Symantec's first google hit for "Encryption Everywhere" prompts for my browser's geolocation unsolicited. If your product is trust, maybe you should think a little bit more about how you present your product.

  • by robbiet480 on 3/24/17, 11:25 PM

    By blog post do they mean the blink-dev mailing list thread [1] that announced Google's action plan?

    [1]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUA...

  • by dionysianstanza on 3/25/17, 12:46 AM

    Straight onto the offensive, as opposed to addressing the quite serious issues and criticisms which face them.

    Their response speaks volumes.

  • by angry_octet on 3/25/17, 12:15 AM

    It seems 2017 is the year that blustery ignorance of facts became fashionable. Thankfully they can deny deny deny and stamp their foot however much they want and it won't matter.

  • by ganfortran on 3/25/17, 7:39 AM

    > While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

    "We are not the only one doing this, why us Google, why us?"

    What a shitty excuse. Laughable. Big F to Symantec and wish you bankrupt :)

  • by guelo on 3/24/17, 11:24 PM

    Wow, well with that response now I know for sure never to recommend any Symantec products

  • by jwilk on 3/24/17, 11:21 PM

    Archived copy, which doesn't require JS:

    https://archive.fo/4DAKD

  • by draw_down on 3/25/17, 1:05 AM

    We didn't take the responsibility of being a CA seriously, and now Google is being mean to us. Waah.

  • by apecat on 3/25/17, 10:07 PM

    Symantec is now a company that operates both as a CA and, having acquired Blue Coat, also as a vendor of TLS intercepting middle boxes that they sell to despots.

    With this history of mis-issued certs in mind, Symantec's CA business should be kicked to the ground, left bleeding and never be trusted again.

  • by natch on 3/25/17, 3:07 AM

    As I read it Symantec is being tone deaf here about the problem. Throwing around numbers like 127 versus 30,000, they seem to be overlooking the fact that trust flows downward from a small handful of root certs, or certs closer to the root, and that if the root cert or certs and processes around them are not trustworthy, then all the subordinate certs are tainted.

    They aren't helping themselves any with this kind of post, imho.

  • by sparkling on 3/24/17, 11:39 PM

    Short SYMC

  • by Animats on 3/25/17, 4:16 AM

    Site stuck at "Loading Your Community Experience".

  • by wav-part on 3/25/17, 1:53 AM

    Just migrate to DNSSEC/DANE already. CAs have no incentive to mis-issue certs. CAs whole business model is selling trust. Its obvious TLDs (.com/etc) are the one who should validate/issue certs.

    Regarding TLDs coming under control of Govts, Its solved by independent mirror nameservers run by app devs (Firefox/Chrome/etc) and NGOs (EFF/etc).

  • by korzun on 3/25/17, 3:10 AM

    Something, something, WMD's.

  • by Grue3 on 3/25/17, 7:49 AM

    I'm not aware of the details of this particular case, but now that Google owns its own CA, it being in charge of unilaterally banning other CAs from Chrome is a massive conflict of interest.