back to article Mozilla grants distrusted Symantec certs a stay of execution, claims many sites yet to make switch

Mozilla has postponed its plans to distrust all legacy digital certificates from Symantec, spreading dismay in security circles. The org has put off the disavowal because many well-trafficked websites have not switched – despite the execution notice going up over a year ago. Ordinary surfers will notice it once Chrome 70 lands …

  1. stiine Silver badge
    FAIL

    Who, and how much?

    I want to know who got the bribe and how much they got. At this point, there's no reason to extend it.

    1. Dan 55 Silver badge

      Re: Who, and how much?

      I guess they're trying to hang on to users. Firefox Quantium seems to have made some monthly active users move somewhere else. There was a summer slump that never went back up. Odd that...

      1. Peter2 Silver badge

        Re: Who, and how much?

        I guess they're trying to hang on to users. Firefox Quantium seems to have made some monthly active users move somewhere else. There was a summer slump that never went back up. Odd that...

        I'm one of those users. I was involuntarily upgraded to the new Quantum browser from the ESR release of Firefox. The new browser had loads of UI changes somebody probably thought would be a good idea to shove down my throat without a choice or method of reversion, while also deciding that I wouldn't actually want any of the extensions i'd got installed.

        I had a quick look around and discovered that nobody had produced an extension to restore the UI of the browser back to how it looked previously. Having had my browser changed with the elimination of my preferences yet again with no way of actually restoring it this time, I decided that after ~14 years it was time to switch browsers since Mozilla has evidently been taking instruction from Microsoft as to how to forcefully cram increasingly broken bloatware down the throats of the users and ignore the feedback (ie. screams of protest)

        Deciding that I probably wouldn't be the only person this unhappy with the status quo led me to check for forks of Firefox that keep up with security updates but don't leave me without a working web browser every 6 weeks. After trying a few alternatives I decided I quite like Pale Moon, and have been using it since without any regrets since.

        The developers for it port the security updates to their codebase, but leave everything else alone. I'm quite happy with this as are family, friends and it has the benefit of not needing to do such major QA for updates as Firefox did at work. Better all round.

        1. Zippy´s Sausage Factory

          Re: Who, and how much?

          @peter2 That's one of the main reasons that I switched to Pale Moon. It's not getting enough traction in my opinion, but it's a very nice alternative to Firefox that deserves a look.

          1. Spazturtle Silver badge

            Re: Who, and how much?

            LOL Pale Moon, have you also disabled your anti virus and opened all ports?

            If you like Pale Moon I have another web browser you might like, it is called Internet Explorer 6.

            "The developers for it port the security updates to their codebase,"

            If you believe they actually port security updates then I have a bridge to sell you,

          2. jelabarre59

            Re: Who, and how much?

            @peter2 That's one of the main reasons that I switched to Pale Moon. It's not getting enough traction in my opinion, but it's a very nice alternative to Firefox that deserves a look.

            I'm using Waterfox, which seems to get more effort put into it than PaleMoon. But that's still not workable for my 32bit Acer netbook, and trying to run it on my RHEL7 work machine would have required too many library hacks.

          3. Cavehomme_

            Re: Who, and how much?

            I used Pale Moon for a while but had some problems with some work sites. Also rther concerned that it was an effort, at the time, of just one man...and perhaps his dog too. That's too risky for me, so I moved. Tried Waterfox, but not for me.

            I've gone back to FF and I've settled into the new version, not sure what the hoo-ha is all about, other than some add-on developers and their users screaming blue murder. The new FF is a lot safer than the old one, yet still more flexible than Chrome, altough Chrome is more secure with it's sandboxing. I use Chrome for work and financial sites and FF for the rest.

        2. JohnFen

          Re: Who, and how much?

          Yes, me too. The new Firefox just isn't for me.

        3. Dan 55 Silver badge

          Re: Who, and how much?

          I had a quick look around and discovered that nobody had produced an extension to restore the UI of the browser back to how it looked previously.

          Unfortunately it's impossible to do with the fantastic new API.

          After trying a few alternatives I decided I quite like Pale Moon, and have been using it since without any regrets since.

          I went for Waterfox. It can do all three kinds of Firefox extensions and it's based on Firefox 56 + a few minor UI changes which came later (sidebar, some preferences) + security updates. I figure it can't be worse than ESR 52.9.0 and if the project dies I'll look for another one.

          1. Peter2 Silver badge

            Re: Who, and how much?

            If you like Pale Moon I have another web browser you might like, it is called Internet Explorer 6.

            Look mate, most of us were moving people off of IE6 to Firefox in the second browser wars. In the early days, the biggest selling point of Firefox was that you could have it setup the way you wanted it.

            All of the people who have fled Firefox will have done so because after 14+ years using the classic UI plus their modifications they know every nook and cranny of the UI and can do what they want to do quickly and efficiently, and frankly can't be assed to relearn how to use their own web browser because somebody thinks they should.

            If Firefox wanted to retain or regain it's userbase then it's pretty easy to do. When you make massive changes to the UI just include another theme called "classic" that people can apply if they don't like your changes, and problem perpetually solved. Acting like a spoiled teenager and insulting the people leaving because they don't like the way the product changes tends to convince those people to remain in opposition rather than switch back. It's counterproductive as well as being childish.

            I went for Waterfox. It can do all three kinds of Firefox extensions and it's based on Firefox 56 + a few minor UI changes which came later (sidebar, some preferences) + security updates. I figure it can't be worse than ESR 52.9.0 and if the project dies I'll look for another one.

            Yeah, I did look at Waterfox. It's a good alternative if you liked that UI, however personally I was quite happy with the original Firefox user interface that i've been using since FF1 and went with Pale Moon on the basis that it's the default. Either work though, i'm just glad we have the option to do this these days!

            1. jelabarre59

              Re: Who, and how much?

              Acting like a spoiled teenager and insulting the people leaving because they don't like the way the product changes tends to convince those people to remain in opposition rather than switch back. It's counterproductive as well as being childish.

              Ah, so they brought in developers from the Pidgin and Gnome projects?

            2. Spazturtle Silver badge

              Re: Who, and how much?

              "Acting like a spoiled teenager and insulting the people leaving because they don't like the way the product changes tends to convince those people to remain in opposition rather than switch back. It's counterproductive as well as being childish."

              I am not mocking you for leaving Firefox, I am mocking you for choosing the stupidest choice out of all the alternative browsers.

      2. gnarlymarley

        Re: Who, and how much?

        I guess they're trying to hang on to users. Firefox Quantium seems to have made some monthly active users move somewhere else. There was a summer slump that never went back up. Odd that...

        And this is the reason why to try and keep your users happy. In the past, firefox has attempted stuff like this only to have the users complain to the website administrators. Now that the users are more wise, they are switching browsers instead. This means administrators may not be getting notified that there is a problem and folks are switching instead. I am one of those people that switched.

        It also means that firefox lost their power (their ability to say what I do on the internet by forcing changes) over me and my browser.

    2. ivan5

      Re: Who, and how much?

      There is to some extent. Think of us poor buggers that have to use legacy equipment that all the latest and greatest browsers don't work on.

      It gets damn anoying to have to carry a tablet around just to visit the sites that have changes over.

  2. EJ

    Name and shame, name and shame.

    1. Version 1.0 Silver badge

      Name and shame? Really - it seem like that's standard modus operandi these days for politics and tech. If you do something then people complain, and if you don't do anything, people complain.

      1. Geoffrey W

        Tech folk are deeply conservative and dislike change. The longer they have been doing something in a particular way, the more resistant they become to doing it another way. Young tech folk take to the new ways more easily but over time they too will develop a conservative resistance when some one again tries to introduce some change. It's generational, like pop music - parents always look at their sprogs music with disdain, and those young sprouts will in their turn age and come to deride their own sprogs music. C'est la vie.

        And everyone loves to complain. It's a bonding exercise, where folk with similar gripes gather together to point pointy fingers at someone else, to justify and reinforce their own gripes. You can observe it in comments attached to Microsoft articles, especially Windows 10 articles. Fascinating, Captain.

        1. JohnFen

          "Tech folk are deeply conservative and dislike change."

          I honestly don't think that's accurate. Tech folk tend to be neophiles, not neophobes. The difference between greybeards and young sprouts is not resistance to change, it's that greybeards have more experience to base judgements on what constitutes change for the better and change for the worse.

          1. Geoffrey W

            I'm tempted to make another inflammatory observation...Men tend to be more resistant to change than women. There, I did it! I tried not to but, being a man, was unable to change my normal behaviour. I've been getting too many upvotes lately, anyway.

        2. Gene Cash Silver badge

          Tech folk are used to the rule that new stuff is usually shite. And they're not amused by sparkly shiny stuff with less functionality.

          But sometimes it's not.

          Heck, I just upgraded from Android Marshmallow to Android Oreo and I'm the first to admit it was an enormous improvement. The quick-settings tiles alone obsoleted half a dozen of my own apps. The Bluetooth is markedly better. The power management is insane. My Moto G6 did 5+ days without recharging in normal use, straight out of the box without disabling anything or doing anything special to conserve battery, and running the same apps I used on my Nexus 6P.

  3. David Austin

    dissapointing

    I was expecting the browser makers to play hardball: Users can still click through to get to the sites, and the "Not Secure" message being shown to everyone is a nice public incentive to fix it.

    Still, as Google's the no. 1 web browser by a large margin, They'll still have to fix it, so Firefox's stance, if done in isolation, is a moot point.

  4. John Savard

    Bad Decision

    Obviously those sites will switch quicker once nobody can visit them.

    However, I have noticed in Firefox that now sometimes when I visit a site with a bad certificate, I can't just click on a button and see the site anyways. If they hadn't changed that, there would be no issue, and they could distrust the certificates right away without causing a negative impact on users who are blocked from sites they need to access that are not infected, just out of date.

    1. Spazturtle Silver badge

      Re: Bad Decision

      " I have noticed in Firefox that now sometimes when I visit a site with a bad certificate, I can't just click on a button and see the site anyways."

      That means the site has HTST set and cannot be accessed at all without a valid cert.

  5. Anonymous Coward
    Anonymous Coward

    Fart in a colander

    Being as Symantec is not issuing serts any longer and so there's no insiders to create certs for dubious purposes, it's all about as much use as a fart in a colander to distrust them now. The max life of a cert is 2 years, this has been going on for over a year, so they go ws soon anyway.

    Google's security princess let slip in an interview on BBC click that the whole SSL push is because big isp's in the US are replacing their ads, nothing to do with security, eveything to do with $$$. Don't beleive it, hear for yourself, right near the begining of the progeamme.

    1. DryBones

      Re: Fart in a colander

      Doesn't mean it's not a good idea. Replacing their ads with others is a short walk from China "replacing ads with malware", etc, etc. A good move done out of self-interest is still a good move.

      All these sites have to do is replace their SSL cert. If they can't manage that after more than a year, they don't deserve any traffic.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fart in a colander

        "All these sites have to do is replace their SSL cert. If they can't manage that after more than a year, they don't deserve any traffic."

        Whilst that is all they have to do, doing so will not make anything tangibly safer or more secure for anyone. The threat scenario is that Symantec might have erroneously issued a certificate that allows some website to pretend to be something it's not during a man in the middle or in conjunction with a DNS attack. It's ridiculously unlikely for an attacker to wait over a year before utilizing such a fake cert particularly as they would be aware that the trust chain for that cert is going to be removed.

  6. mark l 2 Silver badge

    If Chrome is still going to make the Symantec certs untrusted as planned, then FF delaying is hardly going to help the website who haven't switched as the majority of web traffic comes from Chrome browsers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like