[Cryptography] Google distrusts Symantec for mis-issuing 30, 000 HTTPS certs

Tom Mitchell mitch at niftyegg.com
Sat Mar 25 18:00:49 EDT 2017


On Sat, Mar 25, 2017 at 8:43 AM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Ben Laurie:
>
> > In what sense are you trusting Google?
>
....

> It's very difficult to tell what is actually going on because the
> Chrome team posting only says:
>
> | Since January 19, the Google Chrome team has been investigating a
> | series of failures by Symantec Corporation to properly validate
> | certificates.

...

> My interpretation is that the 127 certificates which prompted the
> investigation are identifiable using CT logs, but the large majority
> of those 30,000 certificates discovered later are not.
>
> It seems that more information what is actually going can be cleaned
> from this mozilla.org (!) bug:

....

> Based on reviewing this information, my best guess for what is
> actually going is this
>
>
There are two issues.   The technical and the vested interest.

Google depends on advertizing and reliable markets both domestic
and international from many national points of view to justify their
primary cash flow.

If the trust of web for commerce slips a little or a lot it matters to
Google.
It might even mater more to Google than any other cloud company.

This issue matters to Google a lot.  It is the foundation of their business
and
I see this as an awareness of this.

Their needs are kin to banking needs which has their own digital dragons as
a search for "digital banking heist" will show numerous near billion dollar
hits.

I suspect that Google is worried about billions of $1 or less hits.

Scripts and CSS do not always make reference to https in https pages.
This may be the next stage...




-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170325/6beaf733/attachment.html>


More information about the cryptography mailing list