
Symantec Backs Its CA - andygambles
https://www.symantec.com/connect/blogs/symantec-backs-its-ca
======
c3t0
_> This action was unexpected, and we believe the blog post was
irresponsible._

Problems since Oct 2015 and the action unexpected? see 1)

 _> We hope it was not calculated to create uncertainty and doubt within the
Internet community about our SSL/TLS certificates._

Symantec took no ownership of the issue. Snarky underhanded remarks are not a
professional way to address shortcomings in managing their product.

 _> For example, Google’s claim that we have mis-issued 30,000 SSL/TLS
certificates is not true. In the event Google is referring to, 127
certificates – not 30,000 – were identified as mis-issued, and they resulted
in no consumer harm._

Per Chrome's team _an initial set of reportedly 127 certificates has expanded
to include at least 30,000 certificates, issued over a period spanning several
years_ see 2)

Summary: No ownership and no action plan conveyed in Symantec's 421 word
message.

1) [https://security.googleblog.com/2015/10/sustaining-
digital-c...](https://security.googleblog.com/2015/10/sustaining-digital-
certificate-security.html)

2)
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-d...](https://groups.google.com/a/chromium.org/forum/#!msg/blink-
dev/eUAKwjihhBs/rpxMXjZHCQAJ)

~~~
ballenf
My take is this message was written by and for lawyers. As in, this is a coded
message from Symantec to Google regarding the basis of damages upon which they
will sue Google if Google doesn't backtrack.

The snarky comments were probably not meant as snarky, they just happen to be
the basis upon which one can seek damages from a 3rd party for damaging your
business or costing you customers.

I would guess that Symantec's lawyers and O-level execs are in deep
discussions whether to sue regardless of Google's follow-up actions or
retraction.

Not saying a lawsuit would help them, but they are laying the groundwork for
it here to keep their options open. And send a message to Google's legal team.

Will be very interesting to see where this goes. Really hope for everyone's
sake it doesn't go to court because it will just end up being a tax on users
in the end (both Google's and Symantec's).

~~~
bubblethink
How would there be any grounds for a lawsuit ? The browser is free to
implement whatever set of features it wants. Not trusting a specific CA is
just a feature (or a bug), whichever way you look at it. A CA is just
providing a service on the web. A service can't sue a browser for not
supporting the service. Symantec is free to create its own browser that trusts
its CA.

~~~
otterley
I could see a cause of action based on a libel theory or tortious interference
with business affairs. Not sure it'd prevail, but there's possibly a prima
facie case there.

------
Manishearth
> Symantec has publicly and strongly committed to Certificate Transparency
> (CT) logging for Symantec certificates and is one of the few CAs that hosts
> its own CT servers.

Lol.

This is like being court-ordered to do community support and then bragging
about all the volunteering you do. Symantec was _forced_ by Google to do CT.
See [https://security.googleblog.com/2015/10/sustaining-
digital-c...](https://security.googleblog.com/2015/10/sustaining-digital-
certificate-security.html) , specifically:

> Therefore we are firstly going to require that as of June 1st, 2016, all
> certificates issued by Symantec itself will be required to support
> Certificate Transparency.

(By the end of this year, all CAs will be forced to do CT, but Symantec was
forced into this last year, because of the stupid shit they keep doing)

~~~
Manishearth
(To be clear, they weren't forced to run their own CT log, they just had to
have CT set up, however setting up their own log in light of these
restrictions is a business decision and not an indication of commitment to CT
-- paying someone to run a CT log for them would probably be more expensive.
By the end of this year we may see more/cheaper options for CAs who need to
log their certs.)

~~~
Buge
Do CAs have to pay the log providers? From this article it sounds like Google
is adding certs to their own log for free.

[https://www.certificate-transparency.org/faq](https://www.certificate-
transparency.org/faq)

Also

>Anyone can submit a certificate to a log, although most certificates will be
submitted by certificate authorities and server operators.

[https://www.certificate-transparency.org/how-ct-
works](https://www.certificate-transparency.org/how-ct-works)

~~~
Manishearth
I was under the impression that there wasn't any "free to use" log out there,
at least not for someone with the volume of a CA. I could be wrong / this
might have changed since last year.

~~~
tialaramex
Google's logs are free to use, everybody can shove whatever they like into the
Google logs if it chains to a relevant CA.

Most logs don't talk to random civilians about this, but at the ct-policy
meeting the one log which did speak about their policies said that they either
cut a $$$ deal OR they accept a mutual logging arrangement, on the rationale
that if you eat the cost of logging their stuff and they eat the cost of
logging your stuff, that works out fine for everybody.

------
hackcasual
The TL;DR of this whole thing

* Root CA practice allows delegating validation to 3rd parties

* However, the Root CA must accept all responsibility for any mis-validation the 3rd parties do. No throwing them under the bus

* Symantec delegates validation to 4 different companies to serve local markets

* Said companies fail to adequately validate domain ownership

* Symantec attempts to throw them under the bus

Further compounding the issue is that there is no way to separate the
certificates that had more rigorous validation than the ones validated by
these 4 companies

------
orless
This is probably intended as damage control, but I think this response will do
Symantec more bad than good. No problem description, no explanation of
consequences for customers, no acknowledgment of the failure no action plan,
no schedule, no options, nothing. As a reader if I'm already aware of the
problem, this response provided zero substance to counter Google. If I'm
unaware then I'm welcome to google what it's all about, land on the blink-dev
post, emotionless and factual. The whole issue is about trust, but so far
Symantec does not seem to act responsibly which does not help to re-establish
trust.

I also wonder what the exact consequences will be (Symantec post fails to
explain this). I mean, which big sites will be hit? When? For how many users?

~~~
orless
A much more interesting document is "Symantec Second Response to Mis-Issuance
Questions – February 12, 2017":

[https://bug1334377.bmoattachments.org/attachment.cgi?id=8836...](https://bug1334377.bmoattachments.org/attachment.cgi?id=8836487)

------
leeoniya
> Symantec will vigorously defend the safe and productive use of the Internet,
> including minimizing any potential disruption caused by the proposal in
> Google’s blog post.

What they will vigorously defend is disruption to their reputation and their
bottom line. What benefit does a business get from Symantec that they do not
get from Let's Encrypt? EV?

~~~
eganist
Support.

And as mockable as that might sound, it comes in handy for businesses with
special requirements.

~~~
DannyBee
Why do i feel like support is one of the reason they issued so many certs they
should not have?

------
0x0
With Symantec joining the ranks of StartSSL and WoSign, they can hardly claim
to be "singled out".

PS: It's funny that Symantec's first google hit for "Encryption Everywhere"
prompts for my browser's geolocation unsolicited. If your product is trust,
maybe you should think a little bit more about how you present your product.

~~~
tajen
Perhaps StartSSL was a life-size rehearsal of the process, making sure that
everything was in order in preparation for Symantec's dismantling.

No earlier than this week has Chrome 57 been rolled out. I know that because a
customer reported to me that one of my website was distrusted – I had
forgotten a StartSSL certificate over there, and sure enough I didn't notice
it because I was still on Chrome 56. Sounds like a timely coincidence: If I
were Google I would exactly try to distrust a small CA before attacking a
bigger monster.

------
robbiet480
By blog post do they mean the blink-dev mailing list thread [1] that announced
Google's action plan?

[1]: [https://groups.google.com/a/chromium.org/d/msg/blink-
dev/eUA...](https://groups.google.com/a/chromium.org/d/msg/blink-
dev/eUAKwjihhBs/rpxMXjZHCQAJ)

------
dionysianstanza
Straight onto the offensive, as opposed to addressing the quite serious issues
and criticisms which face them.

Their response speaks volumes.

------
angry_octet
It seems 2017 is the year that blustery ignorance of facts became fashionable.
Thankfully they can deny deny deny and stamp their foot however much they want
and it won't matter.

~~~
fooey
Seems like escalating this fight with Google is pretty much the last thing
they should be doing. They need to be proving they can be trusted, not
throwing a tantrum.

------
ganfortran
> While all major CAs have experienced SSL/TLS certificate mis-issuance
> events, Google has singled out the Symantec Certificate Authority in its
> proposal even though the mis-issuance event identified in Google’s blog post
> involved several CAs.

"We are not the only one doing this, why us Google, why us?"

What a shitty excuse. Laughable. Big F to Symantec and wish you bankrupt :)

~~~
tajen
I wish Google were more serious. A proof of deceptive falsification of
certificates by a CA should lead to an immediate distrust in browsers, period.

The job is on the side of CA companies to run audits at the extent of possible
damages, just like in nuclear plants: You just can't do a mistake, and
certainly not 127.

~~~
scrollaway
So chrome can no longer browse ~30% of the secured web. People instead install
a different browser that isn't so "serious", as you put it. Oh and the message
that sends to website owners? "Just don't use HTTPS, your SSL certificate
could be invalidated with no prior warning for reasons that have nothing to do
with you".

Easy, right? Just like a nuclear plant.

~~~
tajen
I don't know, what's best for security? The message is don't use a dodgy
provider. Yes it's a pain for customers, but don't forget we're mostly talking
about level 2/3 certificates (EV, wildcards), so we're talking about banks and
major companies here. They both should and have enough resources to monitor
the trustworthiness of their providers. In the current case, Symantec's
falsifications has been know for long enough.

~~~
cryptarch
I do think the "drop it like it's hot" approach could work, but it would
require browser vendor coordination, so that Symantic https stops working on
all major browsers at the same time/day.

And honestly, banks should have the expertise and resources to change certs in
a day or two, and if they don't that's on them.

------
guelo
Wow, well with that response now I know for sure never to recommend any
Symantec products

~~~
kalleboo
I've never heard anyone in my life recommend Symantec products.

------
jwilk
Archived copy, which doesn't require JS:

[https://archive.fo/4DAKD](https://archive.fo/4DAKD)

~~~
Semaphor
Heh, I thought it was funny that I had to whitelist a google domain
(ajax.googleapis.com) for the site to load :D

------
draw_down
We didn't take the responsibility of being a CA seriously, and now Google is
being mean to us. Waah.

------
apecat
Symantec is now a company that operates both as a CA and, having acquired Blue
Coat, also as a vendor of TLS intercepting middle boxes that they sell to
despots.

With this history of mis-issued certs in mind, Symantec's CA business should
be kicked to the ground, left bleeding and never be trusted again.

------
natch
As I read it Symantec is being tone deaf here about the problem. Throwing
around numbers like 127 versus 30,000, they seem to be overlooking the fact
that trust flows downward from a small handful of root certs, or certs closer
to the root, and that if the root cert or certs and processes around them are
not trustworthy, then all the subordinate certs are tainted.

They aren't helping themselves any with this kind of post, imho.

------
sparkling
Short SYMC

~~~
unabridged
Exactly what I'm thinking. Who would give Symantec money? I can't imagine the
type of business that would pay them for security.

~~~
technion
The irony is everything I've been hearing was that Symantec was on their way
back to recovery as a company after somehow selling off the woefully under-
performing Backup Exec line in order to focus on the security market. Which
really is SEP and their SSL lines.

------
Animats
Site stuck at "Loading Your Community Experience".

------
wav-part
Just migrate to DNSSEC/DANE already. CAs have no incentive to mis-issue certs.
CAs whole business model is selling trust. Its obvious TLDs (.com/etc) are the
one who should validate/issue certs.

Regarding TLDs coming under control of Govts, Its solved by independent mirror
nameservers run by app devs (Firefox/Chrome/etc) and NGOs (EFF/etc).

~~~
tptacek
There has never in the history of the Internet been a time when DNSSEC was
less acceptable than it is today. People who don't know much about DNSSEC
(reasonable, since nobody really deploys it, and it's a dying protocol) really
only need to know one thing about it: it's a tree-structured PKI, just like
the CA system, except that the top of the tree is run _de jure_ by world
governments.

If DNSSEC had been deployed 10 years ago, Muammar Ghaddafi would have been
BIT.LY's CA.

[https://sockpuppet.org/blog/2015/01/15/against-
dnssec/](https://sockpuppet.org/blog/2015/01/15/against-dnssec/)

~~~
garaetjjte
Except that DNS TLDs are already run by world governments.

Maybe you wanted to say that tree-structured DNS with TLDs owned by
governments is bad, but this is a problem of DNS, not DNSSEC.

DANE reduces parties able to issue rouge certificate from TLD owner + all CAs
to TLD owner only.

~~~
tptacek
DNS TLDs are run by world governments. But the CA PKI _is not_. Restricting
the ability to issue rogue certificates to world governments is not a win: in
fact, it's a regression.

------
korzun
Something, something, WMD's.

------
Grue3
I'm not aware of the details of this particular case, but now that Google owns
its own CA, it being in charge of unilaterally banning other CAs from Chrome
is a massive conflict of interest.

~~~
HappyTypist
Google doesn't issue certs commercially, and I can assure you that the team
that works on Chrome CA issues isn't concerned about Google's ca

~~~
Grue3
Considering I don't trust Google, and Google employees (most likely) went to
great length to downvote my concern, forgive me if I'm not very assured by
your statement.

