Author Topic: The coming Google Symantec Certification battle has been started...  (Read 7071 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #15 on: September 12, 2017, 12:42:51 PM »
More CA trouble now concerning lack of Comodo CAA checking, reported here: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08028.html

Somehow the general infrastructure stays 'borked', Microsoft for instance not acting against audio-eavesdropping by microphone and certain surveillance parties blaming Kaspersky's for doin'g so. Double standards rule and political bias is taken as the red herring.

The provided 0-day holes are so-called "features", those that wanna protect you against it are portrayed as 'evildoers'.

Those that matter do not listen, those in the know do not matter, so everything stays "borked" as pre-designed.  :o

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #16 on: September 12, 2017, 08:14:45 PM »
Polonus would not be polunus, when he did not come up with some CAA checking links:

https://www.ssllabs.com/ssltest/analyze.html?d=

CAA record helper: https://sslmate.com/caa/

DNS CAA Tester https://caatest.co.uk/

For monitoring (free for up to 5 domains) https://sslmate.com/signup?for=certspotter

enjoy, my good friends, emjoy,

polonus
« Last Edit: September 12, 2017, 08:16:52 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #17 on: September 13, 2017, 12:41:58 PM »
The whole thing with certificates should be about "trust", but it is all only about the money, and trust here is a secondary issue.
Moreover 90% of users do not have an idea why they should trust a green padlock inside their browser or not.

With such an action both Google and Symantec protect themselves against loss of money, as certificates do not loose their value immediately, so expensive certificates are not turned into worthless ones.  Taking months for all of this to happen, Google can put the blame at certification not being renewed within time, and prevents both Google and Symantec against loosing money.

The old infrastructure is not failing because of a newer infrastructure being introduced.  Otherwise we would have had a real "trust" crisis, and users would not trust certification like in the past. Browsers, CA vendors, accountants all profit from/depend on the financial position of this CA system, so when you can no longer visit a particular website iside the browser,  vendors loose money and new buyers stay away. Whit a multi-billion system no one wants to loose money when a CA or an accountant is not performing as it should.

As polonus sees it, the Internet infrastructure as such is experiencing the greatest trust crisis of all times. Only most are not aware of ehat is happening, and some even do not care.

It is all about the status-quo between those that want to keep the infrastructure secure and those that wanna keep it zero-holed to quite an extent. It is a very, very difficult balancing act all the way,

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48934
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: The coming Google Symantec Certification battle has been started...
« Reply #18 on: September 15, 2017, 10:34:34 AM »
Win 8.1 [x64] - Avast Premier 17.8.2318.BC - CC 5.37 [OD] - MCS [OD] - EEK [OD] - Firefox ESR 52.5 [NS5/uBO] - Thunderbird 52.5 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #19 on: September 19, 2017, 07:59:52 PM »
On the backgrounds of trust, we should read this paper: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #20 on: October 29, 2017, 02:18:12 PM »
Now Google wants to remove public key pinning in Chrome in favour of Certificate Transparency.
Re: https://www.certificate-transparency.org/

More and more Google decides where certification and security is to go.
Https everywhere, certification, Google Safebrowsing. Google to set standards.

Good background read: https://www.globalsign.com/en/blog/what-is-certificate-transparency/
The logs: https://sites.google.com/site/certificatetransparency/known-logs

Also check on: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

polonus
« Last Edit: October 29, 2017, 06:58:18 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #21 on: October 31, 2017, 10:12:00 PM »
Due to the Symantec and DigiCert uncertainty seen from how Google handles it,
also while Comodo, one of the big players here,
has sold it's Certification Division to Fransisco Partners,
that will later come up with another name for that Cert. Division to be known under.

Re: http://www.businesswire.com/news/home/20171031005584/en/Francisco-Partners-Announces-Acquisition-Comodo%E2%80%99s-Certificate-Authority

Also on DigiCert and Mozilla's vision: https://blog.mozilla.org/security/2017/10/31/statement-digicerts-proposed-purchase-symantec/

What's all going on, why are some abandoning ship?

What does this all mean for the security and surveillance landscape.

Lots of questions arising...see what answers the future will bring.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29859
  • malware fighter
Re: The coming Google Symantec Certification battle has been started...
« Reply #22 on: November 06, 2017, 11:18:05 PM »
Trust in Certs, does it really still exist?

Advanced hackers abuse digital certificates to smuggle malware past security scanners:

Read: https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/

Simply copying an authenticode signature from a legitimate file to a known malware sample in some cases could do the trick
with 34 av solutions affected.  :o (The affected AVs are listed in Table 3 in the paper referenced in the article (at http://www.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf ).).
See: -https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh   >:( :-[

Where's transparency check there for ye? An abuse list coming: http://signedmalware.org/

NotPetya was a recent example of such malware.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!