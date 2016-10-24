Hacker News new | comments | show | ask | jobs | submit login
Symantec caught once again improperly issuing illegitimate HTTPS certificates (extremetech.com)
Source: https://www.mail-archive.com/dev-security-policy@lists.mozil...

More recent discussion: https://news.ycombinator.com/item?id=13449398

We've got a real too-big-to-fail going on here. If a little company screwed something up this badly they'd be dead. But when one the size of Symantec screws up - oh well they've got too many customers for us to revoke their signing privileges.

It's a ridiculous system and fwiw, it shouldn't be the security companies (though that's being very polite to Symantec) that grant certificates. It should be notary publics (a business all about assurance of human identity) using a physical appliance.

Or, admit we don't care and ditch the entire system for something based on bailing wire and chewing gum, because that's roughly what we've got now.

"they've got too many customers for us to revoke their signing privileges"

We can however ban them from issuing any new certs. It wouldn't be the first time this has been done.

https://blog.mozilla.org/security/2016/10/24/distrusting-new...

Except if Google decided to drop their certs, what Synmantec going to do? Sue? Google could be sued for leaving known insecure certs in Chrome.

All google would have to do is warn that +1w all symc new certs will come with a yellow warning.

Symantec can threaten larger lawsuits than you can, so we know how that'd come out.

Also, and most critically, it's musical chairs between cloud and security companies. If Symantec came to Google to complain it's likely they'd go straight to VPs who used to work with them and get special treatment.

Hence the call to use notaries. Let's avoid the whole buddy network.

