back to article Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

Many high profile UK sites still use Symantec certificates just days before Google will begin the process of dropping support for them with the next and upcoming releases of its Chrome browser. Google's looming disavowal of digital certificates issued by Symantec will occur across two effective dates, April and October. …

  1. Zippy's Sausage Factory
    Meh

    Is the karma from all the years where Symantec have acquired companies that make good products and then as soon as they took them over, turned those products to useless garbage* until they just plain stopped making them finally coming home to roost?

    * With the exception of Ghost, I suppose. Maybe.

    1. J. Cook Silver badge

      I dunno, ghost wasn't all that bad, right up to 8.6 or 8.7 (which was the last version I used, anyway.) The multicasting setup was a bit of a pig to setup and run, but when it worked it was 'good enough'.

  2. Alister

    Specific Certificate Authorities

    Maybe instead of just quoting "Symantec" it would be useful to mention the actual root CAs that this impacts?

    So, if you have an SSL certificate issued by any of the following, you need to get a new one:

    Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.

    1. Anonymous Coward
      Anonymous Coward

      Re: Specific Certificate Authorities

      Hmmm, Equifax and security of any kind is an oxymoron.

      1. Anonymous Coward
        Anonymous Coward

        Re: Specific Certificate Authorities

        It's funny because their website is still using a symantec certificate, too: https://www.ssllabs.com/ssltest/analyze.html?d=www.equifax.co.uk

  3. Lee D Silver badge

    Personally, I have a RapidSSL cert. They keep whinging at me to renew it.

    In the meantime LetsEncrypt added free wildcard certs.

    So I'll probably never bother to use another certification authority again.

    Even my workplace can have their existing certs alongside the LetsEncrypt one in the webservers etc. if they want. Fact is the LetsEncrypt ones are more than adequate now and everything else is a backup in case the 90-day renewal process falls over.

  4. davefiddes

    Looks like for a lot of these sites with problems looming in October it's their Akamai CDN that has the Symantec certificate rather than the main site itself. They should know better I would have thought...

  5. o2bearebel

    Old news

    "These include ScotRail and banks in the RBS Group (Natwest, Royal Bank of Scotland and Ulster Bank), retailer House of Fraser and broadband outfit Gamma Fibre Ethernet."

    ....Old news - All 3 sites that you highlighted have new DigiCert issued certs installed over last few weeks.....<I just checked>

    1. katrinab Silver badge

      Re: Old news

      https://www.bankline.natwest.com still has a Symantec certificate

      A few of the other Natwest and RBS sites I looked at also have Symantec certificates, I didn't see any other certificates in my brief search.

      1. Christoph

        Re: Old news

        HSBC's site still says Symantec

      2. Anonymous Coward
        Anonymous Coward

        Re: Old news

        One Natwest site had no SSL and you ended up at the hosting providers site....naughty naughty.

    2. Anonymous Coward
      Anonymous Coward

      Re: Old news

      www.rbsdigital.com

      personal.natwest.com

      www.ulsterbankanytimebanking.co.uk

      digital.ulsterbank.co.uk

      still use a distrusted root

      Complex organisations, lots of services built and operated in isolation. General shower of shit.

  6. Matulaj

    For those that need help renewing your Symantec/GeoTrust/Thawte/RapidSSL cert, here's a helpful link:

    https://www.digicert.com/replace-your-symantec-ssl-tls-certificates/

  7. Marty McFly Silver badge

    Huh?

    I thought Symantec got out of the certificate business and sold it all to Digicert??

    1. colinb

      Re: Huh?

      Fire up the DeLoren, set it back to just before you posted and reread the last paragraph

  8. mark l 2 Silver badge

    So if you had registered a Symantec issued cert say for 5 years which after April will become useless, but it still time remaining before it expired can you claim your money back from Symantec or the registrar you bought it from?

    1. Anonymous Coward
      Anonymous Coward

      Can't answer your question, but they wouldn't have issued a 5 year cert (it would probably be 5x 1 year certs)

    2. Anonymous Coward
      Anonymous Coward

      Alternatively, perhaps people will seek redress from Google for a "denial of service" attack on their sites. What woudl the reaction be if, for example, NCP car parks announced that "due to concerns over ability of criminals to remotely unlock BMW cars we will no longer permit BMW owners to user our car parks"?

      Seems also to be stepping into "ati-trust" territory if one company can effectively tell the world that they better stop using another companies products if they want to be visible in the dominant web browser.

      1. Anonymous Coward
        Anonymous Coward

        If the certs are vulnerable to attack then I'm not sure it's DDOS.

        Google use/used Symantec for some certs.

        I'd guess it's something serious given Mozilla have joined in.

  9. David 132 Silver badge

    That Chrome error message is dangerously misleading.

    The error message shown in the article - “Attackers might be trying to steal your information” is not just wrong, it’s dangerously misleading and I think Google should be ashamed.

    A more honest error message would be “This site is being vouched for by someone who’s no longer trustworthy”, or some riff on that theme.

    Equating “we no longer trust this cert” with “this cert is a forgery and this site is up to no good” is going to backfire. Users will phone the RAC/Natwest etc, be told “yeah, don’t worry, it’s just Chrome, there’s nothing unsafe about our site” and...next time they see a (genuine) phishing alert, will pooh-pooh it.

    Yes, I understand that users don’t read error messages/warnings, and that those messages must be kept simple. But that can be harmful.

    Am I the only one who has this concern?

    1. teknopaul

      Re: That Chrome error message is dangerously misleading.

      Agree. This message is really to site owners, "Toe the line. We pwn your users."

    2. Christoph

      Re: That Chrome error message is dangerously misleading.

      Possibly it's the generic warning they show for all non-valid certificates if they haven't coded anything specially for Symantec but have simply removed it from the list of trusted authorities.

      1. David 132 Silver badge

        Re: That Chrome error message is dangerously misleading.

        @Christoph Possibly it's the generic warning they show for all non-valid certificates

        I'm sure you're right - that's almost certainly what it is. But my point is that it's misleading. There's a world of difference between "this cert is not valid" and "this cert was considered valid until a week ago, but we no longer trust the issuer because they've been kind of a dick"!

    3. Robert Carnegie Silver badge

      Re: That Chrome error message is dangerously misleading.

      Can someone remind me how untrustworthy the authority is? e.g. could a criminal set up a fake bank site with a fake certificate that pretends to be legitimate? There was something about all the private keys of certificates having been released in the public domain - was that it? or anyway sent in insecure, possibly logged plain e-mail. Sorry, I have a hazy understanding at best of the techy part of this.

      What I'm getting at is: should we presume that the certificates are already in the hands of evildoers? In which case, letting them be used at all now is inappropriately putting mercy over safety?

  10. teknopaul

    "Surfers can just click past such warnings but this is undesirable"

    Unless they are ajax requests. In which case you cant click anything to make it work.

    In fact you cant even see that 10 links on the page go direct to Facebook or who authorized that.

    IMHO browser makers have too much control of SSL.

    If you use Chrome you trust one company, Google. Same aplies to IE and FF.

    SSL is great for browser makers since it gives them control and they have your every move in plain text already.

    It should be up to users who they trust. But no current browser maker sees it like that.

    I think Google is pretty exceptional in its abuse of trust. I dont think most chrome users would be happy to find out what Chrome tracks about them under the guise of "statistics to help make chrome better"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like