[Cryptography] Chrome & Firefox protecting users against Symantec (Thawte, Verisign, Equifax, Geotrust, RapidSSL, etc) certs.
Ray Dillinger
bear at sonic.net
Tue Sep 12 14:45:52 EDT 2017
Both of the major browsers apparently have plans to stop trusting
essentially everything issued by Symantec, which is long overdue.
(Side question: Why the heck did Symantec think it needed so many
different names? When I see other companies playing shell games like
that my first thought is money laundering.)
Plans are to upgrade Chrome security against certificates issued by the
Symantec root key (including all the additional brand names) over the
next year.
http://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
Natch, corresponding security upgrades for Firefox users are underway at
Mozilla.
https://www.thesslstore.com/blog/mozilla-match-googles-plan-symantec/
There are a couple of other browsers people care about, but as minor
players they don't have much latitude to make their own decisions
anymore. They used to be more independent, but these days, they just
copy whatever Chrome and Firefox do.
PKI is still broken, but at least in some of the most egregious cases,
and with heroic effort and a year-plus rollout plan, a key revocation
can in fact take effect!
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170912/c0ef8db3/attachment.sig>
More information about the cryptography
mailing list