
Symantec caught once again improperly issuing illegitimate HTTPS certificates - ghosh
https://www.extremetech.com/internet/243202-symantec-caught-improperly-issuing-illegitimate-https-certificates
======
Titanous
Previous discussion:
[https://news.ycombinator.com/item?id=13449398](https://news.ycombinator.com/item?id=13449398)

(edited for clarity)

~~~
funnyfacts365
More recent? The current post is from 2 hours ago. The one you posted is from
2 days ago.

~~~
grhmc
Perhaps more as in "additional, recent discussion"

------
bandrami
I sometimes wonder why we don't just skip the CA layer entirely and let the
browsers be the CAs. Buy a "mozilla cert" and an "IE cert" and a "Chrome
cert", and all the derivatives of them can hitch a ride based on that. It
would fund browser development and eliminate the steaming pile of misplaced
trust that is the PKI system.

Sometime last year I deleted my CA certificates because I finally realized I'm
never going to actually audit all of the certs in there, and I _know_ there
are confirmed bad actors among them, so I shouldn't give myself a false sense
of security.

~~~
542458
Hm. That's an interesting idea, since browser vendors have more incentive to
maintain a good brand than random CAs that most people have never heard of.

My big concern is browsers effectively would have a monopoly over their users
(in theory users can switch but in practice most wouldn't), meaning that
browsers could dramatically overcharge for their certs. I wouldn't be worried
about, say, Mozilla, but some other vendors might not play nice...

~~~
bandrami
_browsers effectively would have a monopoly over their users_

Sure, and there's already such a troublingly small vendor's market to begin
with (Microsoft, Google, Mozilla, really).

This idea would definitely have problems, but then again so does what we're
doing now...

~~~
snovv_crash
And Apple, since you can't replace mobile Safari, just reskin it.

------
EdHominem
We've got a real too-big-to-fail going on here. If a little company screwed
something up this badly they'd be dead. But when one the size of Symantec
screws up - oh well they've got too many customers for us to revoke their
signing privileges.

It's a ridiculous system and fwiw, it shouldn't be the security companies
(though that's being very polite to Symantec) that grant certificates. It
should be notary publics (a business all about assurance of human identity)
using a physical appliance.

Or, admit we don't care and ditch the entire system for something based on
bailing wire and chewing gum, because that's roughly what we've got now.

~~~
DiabloD3
Except if Google decided to drop their certs, what Synmantec going to do? Sue?
Google could be sued for leaving known insecure certs in Chrome.

~~~
colechristensen
All google would have to do is warn that +1w all symc new certs will come with
a yellow warning.

------
finnn
Source: [https://www.mail-archive.com/dev-security-
policy@lists.mozil...](https://www.mail-archive.com/dev-security-
policy@lists.mozilla.org/msg05455.html)

------
poizan42
Wouldn't a course of action be to forbid Symantec from letting their partners
issue certificates using their intermediate CAs? That would probably mean that
Symantec would have to pay compensation to their partners for being forced to
breach their contract.

------
SEJeff
When is Google / Mozilla going to just blacklist them as a CA for anything
going forward? This seems like a thing where they'd be lucky to give you a
single warning as this could literally get people killed due to oppressive
regimes doing MiTM.

------
HillaryBriss
i like the wording in Symantec's press release: "Symantec has learned of a
possible situation..."

so, let's not be hasty. this isn't a security problem. it's just a "possible
situation".

hell, we've all been in situations before. there's nothing inherently wrong
with a situation, even if it took place in a location named "test, Korea". i
mean, hey, we've all taken tests. some of us have even been in test
situations. it's not a problem.

you can just go now. this is not the situation you're looking for.

------
axoltl
Looks like there's more:

[https://crt.sh/?id=63552608](https://crt.sh/?id=63552608) with commonName:
jotestintermediate.bbtest.net

~~~
pfg
They seem to own the domain in question, so that could've been validated
according to spec. The only thing that's weird in that certificate would be
the organizationalUnitName being "Test"; I don't think that would be a
Baseline Requirements violation as such. They only require that the OU field
be not misleading (i.e. you can't use a trademark you do not own as your OU,
etc.)

------
flareback
"Symantec caught once again improperly issuing illegitimate HTTPS
certificates"

So I wonder what the correct way to issue illegitimate HTTPS certificates is?

