Google restricting Symantec certificates

[torchwood]

Search giant Google and security firm Symantec have clashed over the way websites are kept secure.

Google claims Symantec has done a poor job of using standard tools, called certificates, that check the identity of thousands of websites.

It will change its Chrome browser to stop recognising some Symantec certificates, causing problems for people who visit sites using them.

Symantec said Google's claims were "exaggerated" and "irresponsible".

The row concerns identity checks known as "security certificates", which underlie the HTTPS system that ensures data is encrypted as it travels to and from a website..

Read more: Google and Symantec clash on website security checks - BBC News

 

[ThrashZone]

Hi,
Symantec isn't that a fancy name for Norton and if so who actually uses them anymore
I thought my mom was their last user which I finally convinced her a couple months ago to not renew
Gave her a mbam pro license to use as well as another free antivirus

 

[Anak]

It seems this disagreement has been going on for almost a year; From google's project zero: June 28, 2016 How to Compromise the Enterprise Endpoint
Then a week later July 05, 2016 US-Cert released: Alert (TA16-187A) Symantec and Norton Security Products Contain Critical Vulnerabilities , and just recently March 24, 2017 Ars Technica released: Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] Along with torchwood's article it also seems the time has come for a gentle push to turn into a shove.

From torchwood's link:

Symantec said it had taken "extensive remediation measures" to improve the way it issued certificates and noted that many other certificate issuers had not gone as far.

It queried why it had been "singled out" by Google when other certificate issuers were also at fault.

"We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners," it concluded.

Something smells here, if this is going on for almost a year, why is Symantec acting so hurt?

My interest in all this is I have several sites that use Symantec certs and I'm going to have to "politely" inquire what they are doing to bolster their security. One site has an insecure (red 52%) from Calomel SSL Validation, and a 6.3 out of 10 result from Cipher suit. I know Firefox, my browser of choice, has been working on tightening its security, but so far hasn't acted as strongly as Chrome.

Related:
Firefox and Symantec certs

 

[Callender]

Check Firefox for suspicious stored certificates with Certificate Store Checker (RCC) available here:

Windows Apps by FS1 (RCC Link)

Note: This app is updated usually on a monthly basis when the developer has time. If you get a "database is out of date" error when launching then you need to check for or wait for a new version.

Works with default Firefox profile. For variants copy rcc.exe into folders along with cert8.db and nssckbi.dll from each Firefox variant into each RCC folder.

​

Also this addon might be of interest although it hasn't been updated for a while. It notifies on new certificates with options to reject or view details. Also any certificates stored by Certificate Patrol can be cleared.

Certificate Patrol - a psyced Firefox/Mozilla add-on
​

​

 

[Anak]

Good 'ol Callender, thanks for the added info and links, I've been using Calomel and Cipher suit since I saw them in one of your posts a few years back. Good stuff!

 

[HammerHead]

Hack--king

Google should know they have hacked and penetrated everyone and everything.