Symantec Security Certificates

[esme]

Spotted an article on boingboing some of you may be interested in


Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs

Apparently Symantec, a major issuer of site security certificates which are used on sites using https to ensure encryption of all data traffic between the site & your browser and allow you to trust the site you are visiting, has been issuing bogus certificates.

I'll just repeat that for emphasis.

SYMANTEC HAS BEEN ISSUING BOGUS SSL CERTIFICATES

This was initially found by Google and it allows man in the middle attacks on google.com users, however

 

 

As Google has dug deeper into Symantec's certificate issuance, they've found many bogus certs, triggering an internal audit by Symantec that found literally thousands of "misissued" certificates.

 

So we can't trust any site that has a certificate issued by Symantec, so that's banks, shops, anywhere really.

 

We need Mozilla & Microsoft and all the others to also reject Symantec certificates, so please raise awareness of this, if we can't trust that we are actually securely connected to the site we think we are looking at then eCommerce is dead in the water & several countries economies will stumble & fail.

 

This could be accidental, but personally I think it was a deliberate effort to bypass https & allow data interception by various security services, (yes NSA I'm looking at you).

 

This is fuckwittery of the highest order.

 

Why Chrome are waiting until June 1st I have no fucking idea, this should be shouted from the fucking rooftops, and we should stop trusting Symantec approved sites immediately in my book

Edited November 2, 2015 by esme

[Oldjim]

Went to the link and look at what popped up

 

[Bikerdude]

This is fuckwittery of the highest order.

Nail on the head.

[chakkman]

Went to the link and look at what popped up

 

2015-11-02_134522.jpg

 

lol

 

Trustable site...

[esme]

I'm not understanding why this isn't all over the news, I'm not understanding why Google are waiting until June 1st 2016 before they are going to lift a finger to protect their users. Apparently there's a major, official, trusted, certificate authority that's been caught issuing fake certificates. which can be used to allow man in the middle attacks on HTTPS connections.

 

OK it's only Google certificates that have been spotted, but how many sites check that the certificate they have on the site is the same as the one that is issued to computers that access it? Site owners check the site can be accessed because that's important to them, no point having a site that sells things if no one can see it. But who bothers to verify the client sees the same certificate as is actually on the site ? It's a pretty fundamental mechanic, talking to the site at all means you have a secure connection and as we can trust the CA's it means we're talking to the site we think we are and a man in the middle attack is not possible. Symantec have completely destroyed that mechanic.

 

So that's any eCommerce site, bank, medical system, even wikipedia we can't trust that we are in direct communication with any of them, that little padlock symbol is meaningless thanks to Symantec.

[stumpy]

windows 10 recently did a ssl certificate update for windows edge

don't know if it was due to the fake certificates alert, as it was done at the end of october.

[esme]

As far as I'm aware they do that regularly to provide new certificates

[esme]

Bit more information http://searchsecurity.techtarget.com/news/4500256515/Google-slams-Symantec-over-Certificate-Transparency-trouble

 

Interesting quote

 

"I am thrilled that this discussion is taking place," said Trell Rohovit, CEO of authentication vendor Hydrant ID in Salt Lake City. "There have to be these independent, third-party checks and balances and systems, and this issue with Symantec has highlighted the fact that the first time we put one out there -- Google Transparency -- well guess what? We're starting to find things, and we can improve on those things and make it better."

 

First time we put one out there ?

 

So HTTPS could have been compromised from day one and no one would know ?

 

Verification of certificates should have been free, public domain and available from day one.

 

if anyone wants me I'll be digging a fucking bunker in the garden.

[Eyeshine]

HTTPS does seem next to useless, not long ago there was the Heartbleed bug

A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

 

and Symantec are not the only company, it's quite disturbing that such a basic level of online security (HTTPS) is so vulnerable.

Certificate authorities issue SSL certificates to fraudsters.

 

In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com (issued by Comodo), ssl-paypai-inc.com (issued by Symantec), and paypwil.com (issued by GoDaddy).

 

I was amazed when the Hearbleed bug became public knowledge as it turns out that the encryption and protocols (OpenSSL) used on servers running Apache and nginx which are used on approx 66% of web servers is an open source project managed by a worldwide community of volunteers, WTF! No disrespect to the people working on the project but I would have expected there to be a serious organization behind something as important as web security, considering there are industry standards for the likes of USB.

What was also rather sinister when the Hearbleed bug became public, the security services, NSA, GCHQ, had known about the vulnerabilities for years but never told the general public and they may have actually used the exploits themselves, yet the security services tell us that they need to use mass surveillance as one of their main priorities is to protect us from cyber crime!

 

The internet becomes more depressing by the day and I become more confused, now I read that Amazon, the original online book seller, are to open a real high street book shop, might as well bin your Kindle, seems it was just another fad.

Edited November 6, 2015 by Eyeshine

[Anderson]

That's tiny in comparisson to the loopholes in Kaspersky's antivirus. When it comes to privacy of the user I'm totally with Symantec.

I don't honestly care about certificates but I can sympathy with you, yet every anti-virus faces criticism and has weaknesses at some point anyway.

[Eyeshine]

I don't honestly care about certificates but I can sympathy with you, yet every anti-virus faces criticism and has weaknesses at some point anyway.

Really, so it's not important that when you buy something online even though it's got the padlock and says 'HTTPS' that you could actually have just given all your data to a scammer site, these two indications of security are all we have online but they are pointless if they cannot be trusted.

 

I now use a VPN when buying anything online, it's not to mask my IP it's to use the 2048bit encryption, some sites don't like it and won't allow the transaction but they can piss off and I'll buy elsewhere, incidentally, I recently changed my online banking password and discovered that the password can only be a maximum of 16 numerals and letters but my ebay password can up to 62 ASCII characters, I asked the bank why I can have a much stronger password on ebay than I can with my bank account and all they said was that if I suffer any loses through fraud and it's not my fault I will be reimbursed, maybe the bank considers that it's security is too good to be hacked but that arrogance has cost many banks a lot of money and it just seems stupid and lazy on the banks behalf that their site does not allow better passwords, as a customer I want the strongest possible password options, so if my data is hacked it will take a super computer a few years to decrypt, therefore, realistically making it useless, it's so damn obvious that a 62 ASCII character password is far stronger than a basic 16 letter and numeral password but some banks are still ignoring these simple facts.

Edited November 9, 2015 by Eyeshine

[Anderson]

 

I now use a VPN when buying anything online, it's not to mask my IP it's to use the 2048bit encryption, some sites don't like it and won't allow the transaction but they can piss off and I'll buy elsewhere, incidentally, I recently changed my online banking password and discovered that the password can only be a maximum of 16 numerals and letters but my ebay password can up to 62 ASCII characters, I asked the bank why I can have a much stronger password on ebay than I can with my bank account and all they said was that if I suffer any loses through fraud and it's not my fault I will be reimbursed, maybe the bank considers that it's security is too good to be hacked but that arrogance has cost many banks a lot of money and it just seems stupid and lazy on the banks behalf that their site does not allow better passwords, as a customer I want the strongest possible password options, so if my data is hacked it will take a super computer a few years to decrypt, therefore, realistically making it useless, it's so damn obvious that a 62 ASCII character password is far stronger than a basic 16 letter and numeral password but some banks are still ignoring these simple facts.

Passwords are important, but if they write in the contract that they're obliged to give the money back in case of a security leak then it's their problem. Or find another bank

[Eyeshine]

Passwords are important, but if they write in the contract that they're obliged to give the money back in case of a security leak then it's their problem. Or find another bank

But that's not good enough, banks should provide the strongest passwords and security available, it's not acceptible that you can have a far stronger password on ebay than a bank can provide, if ebay can do it so can the banks, we now know that HTTPS cannot be trusted to always be secure so any company storing our data needs to do everything possible to keep it secure, the likes of Talk Talk should be prosecuted and shut down for the total contempt they have shown to their customers.

 

It's not just about the bank refunding the money, you have to consider the full implications of having your data stolen from a bank (or anywhere else) when your data is stolen then your identity is cloned and credit cards taken out in your name and you get the bills, some people have even had VAT demands for tens of thousands of pounds because the ID thief has bought gold abroad and imported it without paying the VAT, try working that out with the Inland Revenue, some people have had to sell their homes to pay off the depts or lost their homes because all their savings was stolen and they can't pay the mortgage.

 

A TV program just last night investigated what happens to personal data when scammers get hold of it and they found 1,000s of credit card numbers for sale on the dark web, the TV program contacted some people and most of the cards were still active and the card owners didn't know their data had been stolen, there are probably a lot of companies that get hacked and peoples data is stolen but the companies keep quiet about it, many banks have lost millions to hackers and scammers but won't admit how much yet some banks still don't seem to do enough to protect customer data, that's what has really pissed me off, how would you feel if you lost everything because of hackers getting your data from your bank because the banks security was weak, it's about far more than a bank refunding money.

Edited November 10, 2015 by Eyeshine

[Anderson]

But that's not good enough, banks should provide the strongest passwords and security available, it's not acceptible that you can have a far stronger password on ebay than a bank can provide, if ebay can do it so can the banks, we now know that HTTPS cannot be trusted to always be secure so any company storing our data needs to do everything possible to keep it secure, the likes of Talk Talk should be prosecuted and shut down for the total contempt they have shown to their customers.

 

It's not just about the bank refunding the money, you have to consider the full implications of having your data stolen from a bank (or anywhere else) when your data is stolen then your identity is cloned and credit cards taken out in your name and you get the bills, some people have even had VAT demands for tens of thousands of pounds because the ID thief has bought gold abroad and imported it without paying the VAT, try working that out with the Inland Revenue, some people have had to sell their homes to pay off the depts or lost their homes because all their savings was stolen and they can't pay the mortgage.

 

A TV program just last night investigated what happens to personal data when scammers get hold of it and they found 1,000s of credit card numbers for sale on the dark web, the TV program contacted some people and most of the cards were still active and the card owners didn't know their data had been stolen, there are probably a lot of companies that get hacked and peoples data is stolen but the companies keep quiet about it, many banks have lost millions to hackers and scammers but won't admit how much yet some banks still don't seem to do enough to protect customer data, that's what has really pissed me off, how would you feel if you lost everything because of hackers getting your data from your bank because the banks security was weak, it's about far more than a bank refunding money.

Absolutely agree. That's why a lot of the people in my country still keep their savings in cash. Call it old fashioned but banks are more than unreliable here. The regular stolen money from banks is just the pinnacle on the cake.

The best thing to do if you're really afraid of being poor over night is to have insurance or to invest those money somewhere where you're guaranteed to have a revenue later on. Besides all that having a lot of money isn't really practical either unless you know what to do with them if you ask me. Kind of a risk.

Edited November 14, 2015 by Anderson

[Eyeshine]

Absolutely agree. That's why a lot of the people in my country still keep their savings in cash. Call it old fashioned but banks are more than unreliable here. The regular stolen money from banks is just the pinnacle on the cake.

The best thing to do if you're really afraid of being poor over night is to have insurance or to invest those money somewhere where you're guaranteed to have a revenue later on. Besides all that having a lot of money isn't really practical either unless you know what to do with them if you ask me. Kind of a risk.

 

I like gold (who doesn't) not bought as an investment to make money as obviously the price can fluctuate but it's very unlikely that the price will drop that much as there is not enough gold produced to flood the market, today it's safer than money in the bank and you can keep it in secure storage without worrying about home security and sell it in minutes over the phone to the dealer you bought it from and you might even make a profit.

[Anderson]

 

I like gold (who doesn't) not bought as an investment to make money as obviously the price can fluctuate but it's very unlikely that the price will drop that much as there is not enough gold produced to flood the market, today it's safer than money in the bank and you can keep it in secure storage without worrying about home security and sell it in minutes over the phone to the dealer you bought it from and you might even make a profit.

I'm talking about common folk With common paper money.

[Eyeshine]

I'm talking about common folk With common paper money.

 

Oh, I'm common alright I'm not talking big money but when I sold a bike for £3,000 and went to pay it into the bank they immediately started 'advising me' to put the money into some long term investment, I wasn't impressed because the interest was very small and you lose money if you want to cash in before the terms and time of the investment are up, so I bought some gold, if I need the cash I can sell the gold and have money in the bank within hours, the banks can piss off with their crap interest rates and conditions and many high street banks are closing in the UK.

[Anderson]

 

Oh, I'm common alright I'm not talking big money but when I sold a bike for £3,000 and went to pay it into the bank they immediately started 'advising me' to put the money into some long term investment, I wasn't impressed because the interest was very small and you lose money if you want to cash in before the terms and time of the investment are up, so I bought some gold, if I need the cash I can sell the gold and have money in the bank within hours, the banks can piss off with their crap interest rates and conditions and many high street banks are closing in the UK.

Good for you then! Most people don't bother with that. In fact they are pretty scared of banks and all of these complications with terms of the contract (with some hidden clause to be interpreted in favour of the bank). The bank always has good lawyers so you have to know what you're doing if you get in a litigation with them.