• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Certificates from Symantec

I have a problem. I use Mozilla Firefox 63 Nightly and on many Polish websites that support payments (DotPay, PayU) no longer support Symantec certificates? Apparently, the latest versions of Firefox will no longer support certificates from Symantec. Why?

Replies

Kudos0

Re: Certificates from Symantec

Update on the Distrust of Symantec TLS Certificates
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/

Mozilla Reinforces Commitment to Distrust Symantec Certificates

“We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Thayer concludes.  

https://www.securityweek.com/mozilla-reinforces-commitment-distrust-symantec-certificates 

Kudos0

Re: Certificates from Symantec

bjm_:

Update on the Distrust of Symantec TLS Certificates
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/

Mozilla Reinforces Commitment to Distrust Symantec Certificates

“We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Thayer concludes.  

https://www.securityweek.com/mozilla-reinforces-commitment-distrust-symantec-certificates 

 WHY???

Kudos1 Stats

Re: Certificates from Symantec

Why is Google Distrusting Symantec?
This entire situation started back in 2015 when Google contacted Symantec about some potentially mis-issued SSL certificates. That situation, in and of itself, was fairly negligible. But, the following year, when Google became aware of additional mis-issuances, it became of greater import because now Google could make the argument that it was losing trust in Symantec’s PKI.

Google argued that Symantec was not properly overseeing several of the region authorities it used to perform validation around the world. This, coupled with what Google now argued was a pattern of mis-issuances, set the grounds for the distrust. Symantec eventually went into negotiation with Google and agreed to partner with another Certificate Authority so that it could continue to issue certificates while simultaneously rebuilding its Public Key Infrastructure. The best way to accomplish this, in Symantec’s eyes, was to sell the CA part of its business to DigiCert, who would continue to operate it pretty much as is, with the exception of what roots the new certificates would now chain to.

Who was right? Google or Symantec?
That’s a complicated question. Let me start by saying that Hashed Out operates with a considerable degree of autonomy from The SSL Store, but it is worth noting that The SSL Store was a platinum elite partner with Symantec (and now with its new owners, DigiCert). That being said, Google was right about the mistakes that Symantec had made. And considering one of the mis-issued 2016 test certificates was for Google.com, it had a right to be pissed.

At the same time, Symantec wasn’t incorrect when it noted that no real world harm actually occurred. While they disagree on the number of mis-issued test certificates (33 vs. 30K – quite the range), nobody misused any of the certificates. Nobody lost money. No one died.

Google’s decision was a bit draconian. And I’m hedging by add “a bit.” It’s quite a leap to go from, “you mis-issued some test certificates” to “now I’m going distrust every SSL certificate that’s ever been issued off these roots.” It’s worth noting that Google (and Mozilla to some extent) were likely also trying to make an example out of Symantec, too. But as we will see on Tuesday, this is going to end up being massively disruptive in a way that I think few of the people who pushed for this expected.

But, there’s plenty of times for relitigating the dispute between Symantec and Google. There’s not much left time to re-issue if you’re using an affected certificate.

https://www.thesslstore.com/blog/symantec-re-issue-thousands-of-ssl-certificates-will-be-distrusted-tuesday/

On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements. During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.

This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.

After our agreed-upon proposal was circulated, Symantec announced the selection of DigiCert to run this independently-operated Managed Partner Infrastructure, as well as their intention to sell their PKI business to DigiCert in lieu of building a new trusted infrastructure. This post outlines the timeline for that transition and the steps that existing Symantec customers should take to minimize disruption to their users.

 https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Kudos2 Stats

Re: Certificates from Symantec

Good info. Google, like every corporate entity who abuses the authority they bestow upon themselves will eventually have their day with Karma. Symantec isn't the only *issing contest Google has gotten into. Microsoft has been on the receiving end of Google releasing vulnerabilities in Windows when MS doesn't "jump" when Google says jump. All told Android is one of the most unsafe OS's on the market, Google knows it and refuses to correct their issues with it and its security. Google should know that being dictatorial will eventually bite hard and swift at some point. It would be in their best interest to be a part of the solutions than continue to be the source of the problem at large. Could be that their fiasco with MasterCard will begin a long legal road for them but we shall see.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1809 / build 17763.134 / NSBU 22.16.2.22 / Norton Core v.270
Kudos1 Stats

Re: Certificates from Symantec

This thread is closed from further comment. Please visit the forum to start a new thread.