[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cryptography] Chrome & Firefox protecting users against Symantec (Thawte, Verisign, Equifax, Geotrust, RapidSSL, etc) certs.



Both of the major browsers apparently have plans to stop trusting
essentially everything issued by Symantec, which is long overdue.

(Side question:  Why the heck did Symantec think it needed so many
different names?  When I see other companies playing shell games like
that my first thought is money laundering.)

Plans are to upgrade Chrome security against certificates issued by the
Symantec root key (including all the additional brand names) over the
next year.

http://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Natch, corresponding security upgrades for Firefox users are underway at
Mozilla.

https://www.thesslstore.com/blog/mozilla-match-googles-plan-symantec/

There are a couple of other browsers people care about, but as minor
players they don't have much latitude to make their own decisions
anymore. They used to be more independent, but these days, they just
copy whatever Chrome and Firefox do.

PKI is still broken, but at least in some of the most egregious cases,
and with heroic effort and a year-plus rollout plan, a key revocation
can in fact take effect!

				Bear

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
The cryptography mailing list
cryptography AT metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography