Symantec... Google is real tired of your shit

Discussion in 'Business & Enterprise Computing' started by NSanity, Mar 24, 2017.

  1. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    64,912
    Location:
    brisbane
    what will good guy google do now?

    DigiCert to acquire Symantec's Website Security business

     
  2. Foliage

    Foliage Member

    Joined:
    Jan 22, 2002
    Messages:
    32,088
    Location:
    Sleepwithyourdadelaide
    That is one way around the problem, change business name.
     
  3. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,997
    Location:
    NSW
    I suspect they will let the symantec CA, die a quiet death and migrate all customers to the digicert CA, to me this is more of a middle finger to google then anything else.
     
  4. dakiller

    dakiller (Oscillating & Impeding)

    Joined:
    Jun 27, 2001
    Messages:
    8,220
    Location:
    3844
    I don't see it this way.

    Symantec were incompetent, they deserved everything Google did to them and I'm glad Google were willing to stand up for end users and their security and give Symantec a good kicking. Google will be glad they're gone and happy to have those users of Symantec certs now on a much more competent cert provider.
     
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,799
    Location:
    Brisbane
    Agreed. Looks to me like it's been taken over by someone who has a clue. Win win.
     
  6. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,153
    Location:
    Canberra
    bleh.

    Let's Encrypt won this war. its done. Symantec is just shedding dead weight.
     
  7. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,997
    Location:
    NSW
    speaking of which, does anybody use the new dns CAA security for matching CA's to your cert?

    I must admit i did have to look it up to see wtf it was.
     
  8. DonutKing

    DonutKing Member

    Joined:
    Mar 21, 2004
    Messages:
    1,404
    Location:
    Tweed/Gold Coast
    Yes, we exclusively use one CA, so we only had to add 2 records to our zone.
    This site makes it easy:

    https://sslmate.com/labs/caa/
     
  9. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,297
    I don't understand why Digicert would do this.

    Spend tree fiddy on some marketing and run a few specials, and you'd pick up the majority of the customer base looking to jump ship.

    Why spend 1 Beelliiion dollarydoos to do it?
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,799
    Location:
    Brisbane
    Because if your org is like ours, marketing manage the SSL certs and have NFI what any of it means.
     
  11. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,297
    They can be convinced by some shiny lights.

    The only thing Symantec as a CA has that is a worth anything, is their customers, and once they were de-listed, that would be up for grabs anyway.
     
  12. Foliage

    Foliage Member

    Joined:
    Jan 22, 2002
    Messages:
    32,088
    Location:
    Sleepwithyourdadelaide
    How much did it cost them?
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,799
    Location:
    Brisbane
    All true. But buying a company gets you (at least initially) all of the customers. Marketing to them may only get you a very small fraction.

    As NSanity said above, there's likely to be a lot of people who just jump to letsencrypt instead.

    Human laziness is a wonderful thing. There's a lot of businesses that will just keep paying the "renew" bill every year because it's easy. Hell, I'm guilty of this. Our SSL provider is a pain in the arse, but I've had to renew it twice since I've started here, and CBF changing for the pain it'll cause me directly.
     
    Last edited: Aug 4, 2017
  14. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    64,912
    Location:
    brisbane
    more likely they let the IT people go and that's what was there when they left. IT slowly rots when most of these MSP's take over and anything that's on a renewal rarely gets looked at/given a shit about.
     
  15. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,153
    Location:
    Canberra
    For linux-based stuff, certbot is literally the easiest thing in the world to script.
    For Windows - its a bit of a fuck around depending on what you're using the certs for, but ultimately you can powershell the lot.
     
  16. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    Apart from what everyone else has said, there are also (apparently) large customers of Symantec's who can't move CA because they've pinned a Symantec root certificate in the firmware of devices they've sold. If the web service those devices are trying to contact doesn't have a cert issued by a particular (Symantec) root, the devices don't work.

    Basically, they've purchased a lot of customers who will pay lots of money to have things continue to work, because updating the firmware of hundreds of thousands, or millions of devices in the control of customers isn't an option.
     
  17. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,153
    Location:
    Canberra
    cue elvis' violin in

    3.
    2...
    1.....
     
  18. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    I'm not defending those practices. I'm just saying that clearly Symantec has been profiting from (what we would consider) mistakes made years ago by their customers, and now DigiCert will be able to.
     
  19. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,799
    Location:
    Brisbane
    We've got a wildcard cert going to a HAProxy box that in turn sits in front of everything. I'd have to change that into a dozen or more certbot entries.

    I'd rather put that same effort into getting every single one of those services out of my network, and cerbotting them out on Amazon or whatever.

    That's on top of my 92 open tasks today.

    Whinge, moan, etc.
     
  20. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,471
    Location:
    qld.au

Share This Page

Advertisement: