Ir para conteúdo
  • Cadastre-se

Google slaps symantec for sloppy certs, slow show of snafus


rubensk

Posts Recomendados

Resumo: se você tem certificado Symantec, troque já. 

https://www.theregister.co.uk/2017/03/24/google_slaps_symantec_for_sloppy_certs_slow_show_of_snafus/

 

Google slaps Symantec for sloppy certs, slow show of SNAFUs

Certs will keep working, but Chrome will be suspicious, soon

24 Mar 2017 at 04:58, Simon Sharwood

Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it has lost confidence in the company's practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates.

Google's post says “Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.”

Googler Ryan Sleevi unloads on Symantec as follows:

“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.

These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.”

The post gets worse, for Symantec:

“The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates to the community regarding these issues. Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them.  Further, even after issues have become public, Symantec failed to provide the information that the community required to  assess the significance of these issues until they had been specifically questioned. The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”

The upshot is that Google feels it can “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years” and it therefore proposes three remedies:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

The first remedy will mean that Chrome stops trusting Symantec-issued certificates as outlined in the table below.

Chrome version Cert validity period
Chrome 59 (Dev, Beta, Stable) 33 months (1023 days)
Chrome 60 (Dev, Beta, Stable) 27 months (837 days)
Chrome 61 (Dev, Beta, Stable) 21 months (651 days)
Chrome 62 (Dev, Beta, Stable) 5 months (465 days)
Chrome 63 (Dev, Beta) 9 months (279 days)
Chrome 63 (Stable) 5 months (465 days)
Chrome 64 (Dev, Beta, Stable) 9 months (279 days)

Google reckons this plan will mean “web developers are aware of the risk and potential of future distrust of Symantec-issued certificates, should additional misissuance events occur, while also allowing them the flexibility to continue using such certificates should it be necessary.”

And of course it also gives developers time to arrange new certificates from whatever issuer pleases them most.

Symantec has told The Register it is developing a response to Google's allegations. We will add it to this story as soon as we receive it. ®

 

Link para o comentário
Compartilhar em outros sites

Participe da conversa

Você pode postar agora e se cadastrar mais tarde. Se você tem uma conta, faça o login para postar com sua conta.

Visitante
Infelizmente, seu conteúdo contém termos que não são permitimos. Edite seu conteúdo para remover as palavras destacadas abaixo.
Responder

×   Você colou conteúdo com formatação.   Remover formatação

  Apenas 75 emojis são permitidos.

×   Seu link foi automaticamente incorporado.   Mostrar como link

×   Seu conteúdo anterior foi restaurado.   Limpar o editor

×   Não é possível colar imagens diretamente. Carregar ou inserir imagens do URL.

  • Quem Está Navegando   0 membros estão online

    • Nenhum usuário registrado visualizando esta página.
×
×
  • Criar Novo...

Informação Importante

Concorda com os nossos termos?