
Symantec Distrust in Firefox Nightly 63 - bigato
https://blog.nightly.mozilla.org/2018/08/14/symantec-distrust-in-firefox-nightly-63
======
chuckgreenman
If you're wondering why Symantec certificates are being distrusted Mozilla
enumerates a pretty good list of reasons here:
[https://wiki.mozilla.org/CA:Symantec_Issues](https://wiki.mozilla.org/CA:Symantec_Issues)

------
pietroglyph
It's interesting that Firefox preserves the "Continue" button for affected
sites, while Chrome does not. I get that we want to keep broken sites
relatively accessible for a while, but I worry that we could also be teaching
people to ignore warnings like these. I wonder if the continue button
dissapears with HSTS…

~~~
abdullahkhalids
Probably because Mozilla subscribes to the ethos that a user should get the
final say in what computation gets done on their computer, and not some third
party. I would be sad if they ever took the "continue" option away.

This is consistent with their position on drm in browsers.

~~~
aaronmdjones
Firefox Nightly has the continue button regardless, but if the site has HSTS,
it will tell you so, and will not allow you to add an exception; continue only
shows the cause of the problem, in this case, that the certificate came from
an untrusted source. This is in line with the "no user recourse" section of
the HSTS RFC.

------
ehPReth
A (incomplete) list of broken sites:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1484006](https://bugzilla.mozilla.org/show_bug.cgi?id=1484006)

~~~
sofaofthedamned
Considering the PCWorld group in the UK have had to disclose a serious breach
recently, plus they have not bothered to update their EV certs, i'd suggest
their security isn't up to scratch and black hats will notice this.

------
unethical_ban
So is this costing Symantec a lot of money? Are they no longer a root CA in
any capacity?

~~~
detaro
They sold their CA business to DigiCert and quit the market.

~~~
exsymcemployee
Probably for the best. They really buggered up the whole CA thing. Hard to
establish trust after it's been violated.

------
lxe
It's been distrusted in Chrome Canary for a few weeks already.

Similar schedule and post: [https://security.googleblog.com/2018/03/distrust-
of-symantec...](https://security.googleblog.com/2018/03/distrust-of-symantec-
pki-immediate.html)

Sites like PayPal and Intuit, which should be on top of things related to
security, have been non-responsive to my pings to fix it.

~~~
dc_gregory
Iirc, PayPal responded to a previous support request from us stating they were
aware.

------
floatboth
Oh, I guess that's why I've been seeing TLS errors on eBay description pages…

