back to article Google to kill Symantec certs in Chrome 66, due in early 2018

Google has detailed its plan to deprecate Symantec-issued certificates in Chrome. The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild. The absolute …

  1. JeffyPoooh
    Pint

    I haven't trusted Symantec since 2007

    I'm happy to see that others have finally caught on...

    1. Kevin McMurtrie Silver badge

      Re: I haven't trusted Symantec since 2007

      You shouldn't trust Google either, so this is pretty much Meh.

    2. jake Silver badge

      Re: I haven't trusted Symantec since 2007

      I haven't trusted Symantec ever.

      1. sabroni Silver badge
        Happy

        Re: I haven't trusted Symantec since 2007

        I don't know who Symantec are!

        1. WonkoTheSane
          Headmaster

          Re: I haven't trusted Symantec since 2007

          They used to be "Norton Antivirus"

        2. WallMeerkat

          Re: I haven't trusted Symantec since 2007

          > I don't know who Symantec are!

          They're the virus installed on laptops bought from PC World that usually require a clean reformat to remove.

          1. sabroni Silver badge

            Re: I haven't trusted Symantec since 2007

            Fuck's sake! Do i have to start putting sarcasm tags round my posts now?

            1. Uffish

              Re: Sarcasm

              Oh, so you were just being funny. Meh, the wide eyed innocent interpretation ended up being more useful for those lazy sods like me who vaguely recollected the name but couldn't be bothered to search.

              I haven't been anywhere near them or their predecessors since viruses came on floppies.But why does it have to be "Big Google" that is judge, jury and executioner? Because there is no-one else? Hmm.

          2. Alan Brown Silver badge

            Re: I haven't trusted Symantec since 2007

            People buy computers from PC whirled?

  2. AMBxx Silver badge
    Boffin

    Old certs surely?

    The certificates will be 2 years old by the time Google block them. I can only buy certificates that last up to 3 years, so surely most will have expired by the time they're blocked.

    1. sabroni Silver badge

      Re: Old certs surely?

      If you think something's expired when it has a year to go then yeah.....

      (That is some degree level thinking!!!)

      1. RyokuMas
        Trollface

        Re: Old certs surely?

        "If you think something's expired when it has a year to go then yeah....."

        Assuming that cert lifespan is always three years and purchase/renewal rate is reasonably constant, by the law of averages around 66% of certs currently in use will have expired by the time this comes into effect - that's a more solid "most" than the Brexit result...

    2. ABehrens

      Re: Old certs surely?

      Topbulb.com got one of the last Symantec certificates (issued Nov 2017), and it won't expire until Jan 2021. They haven't yet noticed that the number of customers dropped off sharply last month.

  3. Adam 1

    subbie missed a trick

    Symantec kicked; in Chrome 66

  4. mark l 2 Silver badge

    I dislike Symantec business practices more than I do Adobe and Microsoft. They all buy out other companies and often ruin a good product when they get hold of it but Symantec ruin EVER product they get their hands on. So i hope this blocking of their certs by Chrome really hit them in their bank balance.

    1. David Austin

      go to example:

      Veritas.

    2. This post has been deleted by its author

      1. iron Silver badge

        Re: Norton / Symantec is not slow

        How's the job as head of marketing at Symantec going AC?

      2. Anonymous Coward
        Anonymous Coward

        Re: Norton / Symantec is not slow

        Translation:

        I am smoking the Symantec pipe, and although it tastes bad, I have got used to it.

        If you have tried AV on an SSD equipped PC or laptop, the performance isn't too bad. Compared to other AV products, we slow down performance by about the same amount and generally hit the industry averages for bricking your PC via updates.

        When we buy new businesses, we are quick to splash out the brown paint so that our levels of quality are quickly met...

        1. Mike Pellatt
          Facepalm

          Re: Norton / Symantec is not slow

          I think it was Norton who welcomed the advent of the dual-core processor.

          Because, they said, now one core could be dedicated to running antivirus without slowing down the "real" work being done on the other core.

        2. Tom Paine

          Re: Norton / Symantec is not slow

          When we were borged by the bug yellow bucket o'fail, we got yellow silicone rubber wristbands in Fail Yellow, embossed with the word "BELIEVE". We hardly could.

          True story.

  5. pauleverett

    not sure I like the power and muscle google is flexing here. I do not see how it is their job to stop a browser from working with certificates from a particular provider. I would not be at all surprised to see google start issuing its own certificates, and a little down the road have chrome only accept google certificates. I am already totally irritated by how they get to decide what they are going to let me view. Not their choice to make IMO. None of this going in a good direction. Too much control.

    1. eldakka

      not sure I like the power and muscle google is flexing here. I do not see how it is their job to stop a browser from working with certificates from a particular provider.

      1) It is exactly their job to asses as to whether their software will trust a CA. This is how the certificate system works. It is a chain of trust. The software receiving the certificate has to somehow trust the cert (usually via a chain of trust to the signer). To 'trust' a CA, the software has to include (i.e. a pro-active step from the developer of the software) the trust chain in the software (or it can trust the operating systems truststore). Therefore a CA like Symantec, Digicert, etc. has to ask the developer (Firefox, Chrome, or the OS like windows which has an OS-wide truststore) to include them in that chain of trust, so they can put the cert in the software-supplied truststore (one of the things updates to browser/OS software does is add/remove certs from their truststores). If the developer of the software no longer trusts a CA, then they are perfectly within their rights - in fact this is how it is supposed to work - to have their software to stop accepting certs signed by that CA.

      2) I'm not 100% sure on this, but you could probably manually trust the Symantec CA by installing the certs yourself in the appropriate truststore. Most of these systems have exceptions/documented/standard ways of enforcing a user-preference on the certs, manually updating the trust-stores and revocation lists. What we are talking here is the out-of-box, un-user-configured/personalized experience of Chrome.

      3) Chrome is Google's browser, so they can do with it as they will. Chrome isn't by any means a monopoly. The browser market is a crowded place. This is not a situation where there aren't viable alternatives. Don't like it, there are PLENTY of other browsers out there, Firefox, IE, Edge, Safari, Vivaldi, and more. Many of those others are forks of the main browsers engines, but since they are forks they can decide whether or not to include certain features.

      1. Mike Pellatt

        Indeed - it is exactly their job to do this.

        And it's not the first time. In fact, Firefox acted much faster than Google over the StartCom/WoSign shenanigans, but Google have done the same with them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like