[cryptography] [FORGED] Google tears Symantec a new one over rogue SSL certs
pgut001 at cs.auckland.ac.nz
Sun Dec 13 21:31:13 EST 2015
Jeffrey Walton <noloader at gmail.com> writes:
>Google has read the riot act to Symantec, scolding the security biz for its
>slapdash handling of highly sensitive SSL certificates.
Hardly. It's just TB2F business as usual. If you read the original article:
>Symantec performed another audit and, on October 12th, announced that they
>had found an additional 164 certificates over 76 domains and 2,458
>certificates issued for domains that were never registered.
>Therefore we are firstly going to require that as of June 1st, 2016, all
>certificates issued by Symantec itself will be required to support
>After this date, certificates newly issued by Symantec that do not conform to
>the Chromium Certificate Transparency policy may result in interstitials or
>other problems when used in Google products.
A major CA has blatantly abused its position as a "trusted authority". We
will be responding to this abuse of trust by waving our index fingers at them
in a vaguely scolding manner. In the future, if it happens again, we might
even go so far as to send them a strongly-worded letter, and take them off our
Christmas card list.
In the meantime, we would like to congratulate Symantec on their record-
breaking $900M profit for the latest financial year, and hope they have many
further profitable years securing the Internet with trusted certificates.
More information about the cryptography