Symantec... Google is real tired of your shit

Discussion in 'Business & Enterprise Computing' started by NSanity, Mar 24, 2017.

  1. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,105
    Location:
    Brisbane
    I don't think I was clear. When I say "Authentication", I'm referring to the first "A" in "AAA" - i.e.: verifying your client/server identity at the SSL/TLS layer (not a password exchange which comes later).

    Encryption doesn't require a purchased certificate. You can implement HTTPS just fine with your own self-signed key/cert combo. Likewise any application you use can do the same to keep the information secret.

    When I say "authentication" above, I'm not referring to your application level username/password back and forth. I'm referring to the bit where, say, your web browser wants to verify that the SSL cert you're using actually belongs to you, and does so by inherently trusting the CA that signed the cert. A bit like the bouncer at the nightclub trusts that your driver's license is legit because it's got a cute little hologram over the top, and from there, trusts that you are who your ID says.

    Now, if you don't want the whole signed certificate bit, you don't have to use it. If you own both sides of the communication (say, two servers passing data, or a laptop connecting to a VPN server, or a web browser running on an SOE desktop talking to an internal web server), you don't need the signed CA. You can just tell each side that the other is legit, because you as the admin say so, and to trust that specific fingerprint. When they connect, they see it whitelisted, are satisfied that it's not some dodgy individual, and away they go.

    In the same way, an expired SSL certificate doesn't mean a website suddenly stops encrypting data. All it means is that you can't be sure that the website belongs to the people who claim to own it still.

    And the crux of the whole issue is - do we even trust CAs? If I connect to Commbank.com.au and get the little green bar in my web browser saying it's legit, the only thing that verifies that is the fact that my web browser trusts a company called Verisign. Do *I* trust Verisign? Do I have proof that they did their due diligence in making sure that the person ringing up to get the commbank SSL cert actually worked for the commbank? Or even more maliciously, did I sight them in person on site? (What if it was someone using one of commbanks internal phone lines to get the certificate maliciously?). That's the problem this thread covers - Symantec were handing out signed certs without doing their due diligence. That's bad.

    Compare and contrast to a PGP key signing event. You turn up with several pieces of photo ID, and your digital certificates signed by others. You then present the "evidence" that you are who you say you are, backed up by other people in your circle of known acquaintances and your ID. If someone else thinks that's good enough, they too can sign your key. Eventually the list of signatures is overwhelmingly large enough for others to trust, and you've built your "Web of Trust".

    But again, you don't need that at all to ensure encryption. If all you want to do is obfuscate a string of text, the authentication part (particularly authenticating your server to the entire Internet) is unnecessary if you control all the points in question.

    Coming full circle: if you're writing some app that communicates between two bits of kit that your company owns, and isn't designed to ever have a random Internet user log in to it, then you don't need to buy an SSL cert from anyone. That part is entirely unnecessary for that specific use case.
     
  2. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Well lets go with no internet police and let CA's issue certs for all sorts of stuff like they have been? Google want to protect their interests, if the net is untrustworthy Google has issues because people can't trust they are accessing Google.
    What Google is doing is a good thing, with a good outcome. The reasons behind it are irrelevant, the outcome is good.

    You should always protect the data as close to the data as you can, so this is good practice. +1

    AAAAHAHAHAHA I love seeing double encoded data as encryption, or some homebrew with embedded key.

    Its mainly about trust - you pay for the trust, the trust that other people (mainly browsers) believe that you are you because an entity that is trusted tells others you are you.

    Which when you went to explain it in your wall of text started to say trust lots. because that is what it is.

    I would probably use validate more so than authenticate.
     
  3. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    9,555
    Location:
    Brisbane
    No one is going to offer cost-effective recommendations here?
    I am also looking as the Symantec Reseller ones are all starting to cause issues in Chrome FFS.... :thumbdn:
     
  4. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    I did. Letsencrypt. its free. Move on.
     
  5. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    I used CertSimple recently. The guy who started it replied to my emails quickly and was really helpful. When it came to ordering, the documentation they found electronically and sent on to DigiCert for validation meant it was about a day before we had the cert. Highly recommended.
     
  6. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,105
    Location:
    Brisbane
    Good point. I was running with the "AAA" moniker, but your choice of word is a better fit.

    I agree with this, with the one caveat that the reason does matter. But the point is communication on the Internet needs to be trustworthy for Internet business to work.

    Much like when redneck US senators try to mandate back doors to encryption, they fail to see that harming the trustworthiness of crypto harms business. If I know that the communication between my computer and any online merchant or banking service is 100% guaranteed to have a back door, I won't trust it, and I won't use it. I don't believe for a minute that there's a crypto back door that "only the good guys can use". The Internet doesn't work like that, in an instant-copy model where the bad guys move at orders of magnitude faster than the good guys.

    Google playing "Internet Police" isn't bad, as long as their intentions are for a trustworthy Internet as a whole. If they start to target fair competition, that's a different story all together. But right now it's in Google's best interests for *everyone* to use the Internet safely (because Internet safety requires a level playing field to work). So that means Google are keeping both friend and foe safe, and I can deal with that in its current form. (And no, I don't subscribe to "slippery slope" arguments, so I'll cut that off before anyone tries).

    Stage 1.
     
    Last edited: May 12, 2017
  7. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,751
    Location:
    3350
    3 Month validity is a PITA, I'm sure I could look at a PS script to replace/renew with my exchange/iis servers.
     
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,105
    Location:
    Brisbane
  9. Foliage

    Foliage Member

    Joined:
    Jan 22, 2002
    Messages:
    32,088
    Location:
    Sleepwithyourdadelaide
    Stop making things difficult to secure your job elvis! Manual clicking is what I'm good at!
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,105
    Location:
    Brisbane
    Nothing would make me happier than seeing my entire industry made redundant. The quality improvements alone would be worth it.
     
  11. hosh0

    hosh0 Member

    Joined:
    May 28, 2007
    Messages:
    8,971
    Location:
    Sydney N.S.W
    I often say to any new area or workplace I go that my goal is to make my job redundant and then move on. I often get told but you are just putting yourself out of a job, my standard reply is have you seen how bad a state the industry is in? I'm set for life :tongue::thumbup::p
     
  12. dakiller

    dakiller (Oscillating & Impeding)

    Joined:
    Jun 27, 2001
    Messages:
    8,241
    Location:
    3844
    Facebook use these guys's for their certs, I'd take that as a nice endorsement - www.digicert.com

    I'm all for Google being the internet police, Symantec deserve to be slapped hard.
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,365
    A better reply is... "Nope, I'm putting you out of a job, and giving myself the skills to get a better one". :).


    We use digicert, and I don't hate it.
     
  14. rainwulf

    rainwulf Member

    Joined:
    Jan 20, 2002
    Messages:
    4,261
    Location:
    bris.qld.aus
    Fuck i issue RapidSSL certs exclusively.

    dammit.
     
  15. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,751
    Location:
    3350
    Thanks, I do use Letsencrypt on nix with hosts with automated renewals, have not had the requirement to use it on windows yet will take a look at certbot.
     
    Last edited: May 13, 2017
  16. Cthom

    Cthom Member

    Joined:
    Nov 11, 2016
    Messages:
    75
    Man, we are hearing alot of news from these guys from quite some time. Hope to reach some conclusion.
     
  17. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,077
    Location:
    Sydney
    Also use Digicert and have no complaints.
     
  18. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,751
    Location:
    3350
  19. Foliage

    Foliage Member

    Joined:
    Jan 22, 2002
    Messages:
    32,088
    Location:
    Sleepwithyourdadelaide
  20. vladtepes

    vladtepes Member

    Joined:
    Sep 30, 2015
    Messages:
    2,802
    Location:
    Brisbane, Qld
    So true (and rightly so).

    The good thing about Google, as opposed to MS, is they don't invade your privacy by collecting all your data from multiple products and .. oh, wait....

    Why people think Google are so "good" is confusing. Perhaps it's a bit like the Apple thing.. just trendy...


    Well, Google is moving in attempting to capture a lot of the market share of these main players - with devices as well as Google Office etc etc so on a commercial level, I'm sure they are!
     

Share This Page

Advertisement: