
Why Chrome 53 Is Rejecting Chase Bank's Symantec Certificate - doughj3
https://sslmate.com/blog/post/ct_redaction_in_chrome_53
======
agwa
Author here. It has gotten kind of hard to follow what has happened, so here's
a chronology:

1\. In September, Chrome 53 was released, which enabled mandatory Certificate
Transparency for Symantec certificates due to Symantec's history of
incompetence. Some website operators, such as Chase, asked Symantec to submit
their certificates to Certificate Transparency logs in such a way that the
certificate wouldn't be trusted by Chrome, triggering the
ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error. This is when I wrote this blog
post.

2\. Last week, an internal timebomb expired in older versions of Chrome
causing this error message for any website using a Symantec certificate issued
since June. Basically, Chrome contains a list of Certificate Transparency logs
that it trusts, and this list has a 10 week expiration date. So if Chrome was
built more than 10 weeks ago, there would be no trusted Certificate
Transparency logs, and therefore any certificate that was supposed to be
logged (such as new Symantec certs) would be untrusted and display this error
message. The Chrome team was able to fix this within 24 hours by remotely
disabling CT enforcement in Chrome. (When Chrome starts up, it fetches a list
of feature flags from a Chrome server using a system called Finch which is
independent of the normal upgrade system.)

3\. Today, the Chromium packages in several Linux distros, including Ubuntu,
became 10 weeks old. For some reason, they have not picked up the Finch
update, and so they are displaying this error message for all Symantec
certificates issued since June. This is not confirmed yet, but the current
hypothesis is that the distros have disabled Finch for privacy reasons. It
will probably require a distro package upgrade to fix.

~~~
swalsh
Is there any reason, in 2016, to use Symantec over LetsEncrypt?

~~~
xyzzy123
extended validation (mandatory for bigcos) and support contracts (important
for corporates, not sure how useful "in real life").

Also, inventory management, which is helpful when you have hundreds or
thousands of certs.

~~~
walrus01
There are lots of EV issuers who haven't been caught doing shady shit like
Symantec...

~~~
nailer
_cough_ Hey there!

CertSimple _only_ does EV, and we do it completely differently from every
other company: we check as much of your company's details before you pay,
matching your order to a registered/active entity, flagging up things before
asking for your credit card number, and helping you resolve any missing
identification steps based on your company, order and the domain names
involved.

I've been on HN for a decade and was at YC in Mountain View last week for the
10-min final interview last week (we didn't make it, which I blame on me being
a jetlagged mess). OTOH the AirBnB we stayed in used a customer as their ISP.

We're used by a bunch of companies HN folks might know, including Travis,
Tito, and Monzo.

[https://certsimple.com/about](https://certsimple.com/about)

------
robertelder
I'm using Chromium on Ubuntu 16, and I've been trying to visit

[https://www.nist.gov/](https://www.nist.gov/)

but I don't even get an option to 'browse insecurely' under the 'Advanced'
link.

In my experience that past couple days, I get the warning on about 10-25% of
major web sites.

~~~
dijit
try typing 'badidea' on that page and report back if it works. :)

~~~
wereHamster
Can you explain that trick?

~~~
robertelder
I Googled it and found this:

[https://www.reddit.com/r/sysadmin/comments/42xd4i/chrome_dan...](https://www.reddit.com/r/sysadmin/comments/42xd4i/chrome_danger_shortcut_changed_to_badidea/)

------
rgbrenner
"Too many websites have chosen redaction incorrectly"

I purchased a Symantec cert from ssls.com for one of my sites. I wasn't given
the option of redacting anything.. yet I'm seeing this error with Chrome 53 in
Linux. (I also have Chrome 54 on another computer, and it's working fine).

There are clearly other ways of ending up with a certificate that triggers
this.

~~~
nothrabannosir
Did you find your cert in the public log? What does the host name look like?
Is it redacted? Maybe they did it without confirming with you, first :/

~~~
rgbrenner
Checked, and it's not redacted.

------
longwave
The wider bug affects all versions of Ubuntu using Chromium from the universe
repo, which is a 10 week old build of Chrome 53.

Launchpad bug: [https://bugs.launchpad.net/ubuntu/+source/chromium-
browser/+...](https://bugs.launchpad.net/ubuntu/+source/chromium-
browser/+bug/1641380)

------
lifeisstillgood
tl;dr: Symantec have tried to implement a broken version of Certificate
Transparency on their Certs when IETF have not finished the spec.

As such new Symantec certificates don't work in newer versions of Chrome.

Crazy but true.

Kudos to the site owner - clear and simple and authoritative explanation

(Although I see the hand of politics behind this. "Hey we really fucked up the
Google.com certificates. The board insists we do what Google wants and
implement full certificate transparency by June 30. And it took two hours to
explain it to the board so I am not going back to explain that it's all
changed - Just implement the most recent IETF draft. Then I can tell the board
it's done. What's the worst that can happen!"

Oh ....)

------
du_bing
I am in China, when I open baidu.com, zhihu.com, Chromium will throw the
private error. There is an interesting solution, on the page of private error,
input "badidea", the browser will automaticly redirect to the targeted
website. But it may be a "bad idea". Now I use Firefox to open these sites.

~~~
discreditable
Chrome had a different bypass password until recently. They've shown that when
a password catches on among the wrong folks they will change it.

------
dantillberg
This bit me on both the NYT and WSJ websites this past week using Chrome 53;
CDNs they were using both broke with this error. Upgrading to Chrome 54 seemed
to solved the problem for me (I'm using arch linux, fwiw).

~~~
dfeart3453465uf
me too, i saw it on amazon broken. i updated my chromium and all good.

------
Arathorn
This has been wreaking havoc for matrix.org and riot.im all day - we blogged
about it earlier: [https://matrix.org/blog/2016/11/14/ssl-issues-with-
chromium](https://matrix.org/blog/2016/11/14/ssl-issues-with-chromium).
Tempted to move off RapidSSL wildcard certs to a bajillion LetsEncrypts...

~~~
discreditable
Watch out for the rate limits: [https://letsencrypt.org/docs/rate-
limits/](https://letsencrypt.org/docs/rate-limits/)

------
discordianfish
Upgrade to fixed chromium from staging ppa on Ubuntu:

sudo add-apt-repository ppa:canonical-chromium-builds/stage sudo apt-get
update sudo apt-get install chromium-browser

------
hxegon
Was wondering why a bunch of websites were giving me ssl errors, but working
in firefox.

------
porges
Forgive my ignorance, but if you're issuing certificates for internal
hostnames that you want to keep private, why would you need a public cert?
Wouldn't an internal CA be better?

------
foxylad
This is affecting Australia's Suncorp internet banking too. We reported the
certificate error to them yesterday, and I've just updated that with a link to
this article.

------
mstefff
Happening with BofA too.

------
bastard_op
Interesting enough, just got this error trying to buy something on ebay for
pay.ebay.com requiring transparency now.

------
known
No problem in Version 54.0.2840.100 (64-bit)

------
joering2
Somewhat off-topic but what a horrible bank they are.

A friend of mine's father almost got a heart attack by trying to refinance
their underwater house. Despite of being a US veteran and government willing
to sponsor their whole mortage through some special aid program, Chase chosen
not to accept check from said agency. If that would be check from him they
would gladly take it.. but not from gov. Government, of course will not want
to write a check for him, so its a catch 22.

They currently file a lawsuit that Chase gladly accepted (thank God my friend
has a good lawyer who took it pro-bono), but it just shows you to what extent
they will go just to make an extra buck.

