Symantec... Google is real tired of your shit

I don't think I was clear. When I say "Authentication", I'm referring to the first "A" in "AAA" - i.e.: verifying your client/server identity at the SSL/TLS layer (not a password exchange which comes later).

Encryption doesn't require a purchased certificate. You can implement HTTPS just fine with your own self-signed key/cert combo. Likewise any application you use can do the same to keep the information secret.

When I say "authentication" above, I'm not referring to your application level username/password back and forth. I'm referring to the bit where, say, your web browser wants to verify that the SSL cert you're using actually belongs to you, and does so by inherently trusting the CA that signed the cert. A bit like the bouncer at the nightclub trusts that your driver's license is legit because it's got a cute little hologram over the top, and from there, trusts that you are who your ID says.

Now, if you don't want the whole signed certificate bit, you don't have to use it. If you own both sides of the communication (say, two servers passing data, or a laptop connecting to a VPN server, or a web browser running on an SOE desktop talking to an internal web server), you don't need the signed CA. You can just tell each side that the other is legit, because you as the admin say so, and to trust that specific fingerprint. When they connect, they see it whitelisted, are satisfied that it's not some dodgy individual, and away they go.

In the same way, an expired SSL certificate doesn't mean a website suddenly stops encrypting data. All it means is that you can't be sure that the website belongs to the people who claim to own it still.

And the crux of the whole issue is - do we even trust CAs? If I connect to Commbank.com.au and get the little green bar in my web browser saying it's legit, the only thing that verifies that is the fact that my web browser trusts a company called Verisign. Do *I* trust Verisign? Do I have proof that they did their due diligence in making sure that the person ringing up to get the commbank SSL cert actually worked for the commbank? Or even more maliciously, did I sight them in person on site? (What if it was someone using one of commbanks internal phone lines to get the certificate maliciously?). That's the problem this thread covers - Symantec were handing out signed certs without doing their due diligence. That's bad.

Compare and contrast to a PGP key signing event. You turn up with several pieces of photo ID, and your digital certificates signed by others. You then present the "evidence" that you are who you say you are, backed up by other people in your circle of known acquaintances and your ID. If someone else thinks that's good enough, they too can sign your key. Eventually the list of signatures is overwhelmingly large enough for others to trust, and you've built your "Web of Trust".

But again, you don't need that at all to ensure encryption. If all you want to do is obfuscate a string of text, the authentication part (particularly authenticating your server to the entire Internet) is unnecessary if you control all the points in question.

Coming full circle: if you're writing some app that communicates between two bits of kit that your company owns, and isn't designed to ever have a random Internet user log in to it, then you don't need to buy an SSL cert from anyone. That part is entirely unnecessary for that specific use case.

 

Well lets go with no internet police and let CA's issue certs for all sorts of stuff like they have been? Google want to protect their interests, if the net is untrustworthy Google has issues because people can't trust they are accessing Google.
What Google is doing is a good thing, with a good outcome. The reasons behind it are irrelevant, the outcome is good.

You should always protect the data as close to the data as you can, so this is good practice. +1

AAAAHAHAHAHA I love seeing double encoded data as encryption, or some homebrew with embedded key.

Its mainly about trust - you pay for the trust, the trust that other people (mainly browsers) believe that you are you because an entity that is trusted tells others you are you.

Which when you went to explain it in your wall of text started to say trust lots. because that is what it is.

I would probably use validate more so than authenticate.

 

No one is going to offer cost-effective recommendations here?
I am also looking as the Symantec Reseller ones are all starting to cause issues in Chrome FFS....

 

I did. Letsencrypt. its free. Move on.

 

I used CertSimple recently. The guy who started it replied to my emails quickly and was really helpful. When it came to ordering, the documentation they found electronically and sent on to DigiCert for validation meant it was about a day before we had the cert. Highly recommended.

 

Good point. I was running with the "AAA" moniker, but your choice of word is a better fit.

I agree with this, with the one caveat that the reason does matter. But the point is communication on the Internet needs to be trustworthy for Internet business to work.

Much like when redneck US senators try to mandate back doors to encryption, they fail to see that harming the trustworthiness of crypto harms business. If I know that the communication between my computer and any online merchant or banking service is 100% guaranteed to have a back door, I won't trust it, and I won't use it. I don't believe for a minute that there's a crypto back door that "only the good guys can use". The Internet doesn't work like that, in an instant-copy model where the bad guys move at orders of magnitude faster than the good guys.

Google playing "Internet Police" isn't bad, as long as their intentions are for a trustworthy Internet as a whole. If they start to target fair competition, that's a different story all together. But right now it's in Google's best interests for *everyone* to use the Internet safely (because Internet safety requires a level playing field to work). So that means Google are keeping both friend and foe safe, and I can deal with that in its current form. (And no, I don't subscribe to "slippery slope" arguments, so I'll cut that off before anyone tries).

Stage 1.

 

3 Month validity is a PITA, I'm sure I could look at a PS script to replace/renew with my exchange/iis servers.

 

The whole point to Let's Encrypt is that you automate the renewals.

https://github.com/ebekker/ACMESharp
https://github.com/ietf-wg-acme/acme/

Like most of modern IT, if you're still clicking on things manually, you're doing it wrong. Automation is the future.

 

Stop making things difficult to secure your job elvis! Manual clicking is what I'm good at!

 

Nothing would make me happier than seeing my entire industry made redundant. The quality improvements alone would be worth it.

 

I often say to any new area or workplace I go that my goal is to make my job redundant and then move on. I often get told but you are just putting yourself out of a job, my standard reply is have you seen how bad a state the industry is in? I'm set for life

 

Facebook use these guys's for their certs, I'd take that as a nice endorsement - www.digicert.com

I'm all for Google being the internet police, Symantec deserve to be slapped hard.

 

A better reply is... "Nope, I'm putting you out of a job, and giving myself the skills to get a better one". .

We use digicert, and I don't hate it.

 

Fuck i issue RapidSSL certs exclusively.

dammit.

 

Thanks, I do use Letsencrypt on nix with hosts with automated renewals, have not had the requirement to use it on windows yet will take a look at certbot.

 

Man, we are hearing alot of news from these guys from quite some time. Hope to reach some conclusion.

 

Also use Digicert and have no complaints.

 

So it's happening.

https://www.itnews.com.au/news/chrome-to-distrust-symantec-certificates-from-next-year-469688

 

" Thawte, GeoTrust and RapidSSL subsidiaries"

They issue a huge amount of certs. I wonder if this will impact code signing certificates as well for desktop software.

 

So true (and rightly so).

The good thing about Google, as opposed to MS, is they don't invade your privacy by collecting all your data from multiple products and .. oh, wait....

Why people think Google are so "good" is confusing. Perhaps it's a bit like the Apple thing.. just trendy...

Well, Google is moving in attempting to capture a lot of the market share of these main players - with devices as well as Google Office etc etc so on a commercial level, I'm sure they are!