Google and Symantec clash on website security checks

[escapefromstress]

24 March 2017

Google claims Symantec has done a poor job of using standard tools, called certificates, that check the identity of thousands of websites.

It will change its Chrome browser to stop recognising some Symantec certificates, causing problems for people who visit sites using them.

Symantec said Google's claims were "exaggerated" and "irresponsible".

The row concerns identity checks known as "security certificates", which underlie the HTTPS system that ensures data is encrypted as it travels to and from a website.

Symantec is one of the biggest issuers of basic security certificates as well as their extended versions, which are supposed to give users more confidence in the security of a site.

'Strong objection'

Google alleges that Symantec has not done enough to ensure that these basic and extended certificates are being issued correctly. It claims to have evidence that over the past few years 30,000 certificates are suspect.

In a bid to tackle the problem, Google said it would change the way many versions of Chrome display information derived from Symantec certificates. This could mean many users get warnings that sites are insecure or are blocked from visiting them.

In response, Symantec said it "strongly objected" to the way Google had acted, saying its decision was "unexpected".

Its statement added that Google's statements about the way it issues certificates was "exaggerated and misleading". It threw doubt on the claim that 30,000 certificates had been issued incorrectly and said only 127 had been identified as wrongly issued.

Symantec said it had taken "extensive remediation measures" to improve the way it issued certificates and noted that many other certificate issuers had not gone as far.

It queried why it had been "singled out" by Google when other certificate issuers were also at fault.

"We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners," it concluded.

http://www.bbc.com/news/technology-39365315

 

[escapefromstress]

Google Chrome to Distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates

Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years.

The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again.

Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity.

The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum.

"This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," says Sleevi.

One of the important parts of the SSL ecosystem is Trust, but if CAs will not properly verifying the legal existence and identity before issuing EV certificates for domains, the credibility of those certificates would be compromised.

Google Chrome Team started its investigation on January 19 and found that the certificate issuance policies and practices of Symantec from past several years are dishonest that could threaten the integrity of the TLS system used to authenticate and secure data and connections over the Internet.

Under this move, the Google Chrome team has proposed following steps as punishment:

1. EV certificates issued by Symantec till today will be downgraded to less-secure domain-validated certs, which means Chrome browser will immediately stop displaying the name of the validated domain name holder in the address bar for a period of at least a year.
2. To limit the risk of any further misissuance, all newly-issued certificates must have validity periods of no greater than nine months (effective from Chrome 61 release) to be trusted in Google Chrome.
3. Google proposes an incremental distrust, by gradually reducing the "maximum age" of Symantec certificates over the course of several Chrome releases, requiring them to be reissued and revalidated.

Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)​

This means, starting with Chrome 64, which is expected to come out in early 2018, the Chrome browser will only trust Symantec certificates issued for nine months (279 days) or less.

Google believes this move will ensure that web developers are aware of the risk of future distrust of Symantec-issued certs, should additional misissuance events occur, while also giving them "the flexibility to continue using such certificates should it be necessary."

Symantec Response – Google's Claims Are "Exaggerated and Misleading"

Symantec has responded and stated that the claim of mis-issuing 30,000 SSL certificates made by Google are "Exaggerated and Misleading".

"We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible."

"While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs."

http://thehackernews.com/2017/03/google-invalidate-symantec-certs.html

 

[escapefromstress]

Google knows if you’re watching too much porn using Chrome Incognito browsing

We said it earlier but you didn’t pay heed. Long back, we had reported why surfing porn using incognito mode or private browsing mode in Google Chrome, Mozilla Firefox, Microsoft Edge or Internet Explorer, Apple Safari and other browsers is bad. Google proved us right!!! To know how read on….

It is a well-known fact that 9.5 users out 10 use incognito or private browsing mode to watch porn. Some do it out of habit while others do it because the browser doesn’t save the history of their nocturnal pursuits. But a vast majority of those using incognito mode or private browsing window to surf porn do it because they believe their sexual escapades will be safe from prying eyes.

Yes, Google Chrome’s incognito mode allows you to browse porn to your heart’s content and your laptop or phone will store no evidence of it. And yes, it is also a fact that Google knows you are using Chrome’s Incognito mode to surf porn. When you open 100 incognito windows in Google Chrome, a smiley or winky face appears. Instead of the normal tab counter in the top right-hand corner, users will see the cheeky face. A winky face - -appears on Android devices. Open 100 tabs on your iOS device, and you’ll be greeted with a less knowing, more innocent smiley.

Targeting those who spend a lot of time using Incognito Mode, Google’s letting users see their dirty videos finished off with a cheeky hidden message.

While Google’s winky smiley on Android smartphones and iPhones may just be a cheeky response to porn surfers, it also proves what we have been saying for a long time. Using Google Chrome Incognito mode or any browsers private browsing mode to watch adult entertainment videos is not safe.

Considering the above facts, it is unwise to think that your Incognito mode porn surfing habits are either private or anonymous. If you really want to be anonymous, use VPN but don’t ever, ever be under the impression that your Incognito browsing records are private.

https://www.techworm.net/2017/03/goo...nito-mode.html

 

[sybian]

Soooooo.........they are keeping track of what porn I watch?".........For the record I will deny ever Googling midget titty fuck, with cum on toothless grin.
It never happened!

 

[hankmoody]

Google knows if you’re watching too much porn using Chrome Incognito browsing

We said it earlier but you didn’t pay heed. Long back, we had reported why surfing porn using incognito mode or private browsing mode in Google Chrome, Mozilla Firefox, Microsoft Edge or Internet Explorer, Apple Safari and other browsers is bad. Google proved us right!!! To know how read on….

It is a well-known fact that 9.5 users out 10 use incognito or private browsing mode to watch porn. Some do it out of habit while others do it because the browser doesn’t save the history of their nocturnal pursuits. But a vast majority of those using incognito mode or private browsing window to surf porn do it because they believe their sexual escapades will be safe from prying eyes.

Yes, Google Chrome’s incognito mode allows you to browse porn to your heart’s content and your laptop or phone will store no evidence of it. And yes, it is also a fact that Google knows you are using Chrome’s Incognito mode to surf porn. When you open 100 incognito windows in Google Chrome, a smiley or winky face appears. Instead of the normal tab counter in the top right-hand corner, users will see the cheeky face. A winky face - -appears on Android devices. Open 100 tabs on your iOS device, and you’ll be greeted with a less knowing, more innocent smiley.

Targeting those who spend a lot of time using Incognito Mode, Google’s letting users see their dirty videos finished off with a cheeky hidden message.

While Google’s winky smiley on Android smartphones and iPhones may just be a cheeky response to porn surfers, it also proves what we have been saying for a long time. Using Google Chrome Incognito mode or any browsers private browsing mode to watch adult entertainment videos is not safe.

Considering the above facts, it is unwise to think that your Incognito mode porn surfing habits are either private or anonymous. If you really want to be anonymous, use VPN but don’t ever, ever be under the impression that your Incognito browsing records are private.

https://www.techworm.net/2017/03/goo...nito-mode.html

I'm a little confused at your point.
What is unsafe about watching adult entertainment?
Who exactly is watching people watch porn?
And is watching illegal now too??

 

[Warl0ck]

The jist of this thread it this. Symantec issues "certificates". These certificates allow your internet browser to identify "RBC" as Royal Bank of Canada". The issuance of certificates demands things be 'exact' because they confirm the identity of a site. So if you trade stocks with RBC.com, it better well be RBC.com not "wehackedrbc.com".

As for porn, unless you're some 1337 hacker it's unlikely you can truly hide your identity online. It's all moot anyway with Trump signing a bill that allows ISP's in the USA to sell your surfing habits. If they can sell them, the US feds can buy them and see where hankmoody surfs. And that's a problem. If you talking to escorts on TER (which, strangely is hosted on American soil), you've got a problem. If you're googling "kill the Jews" you probably have a problem. If you're googling "kill the fucking government and shoot the president" you'll probably get put on a watch list.