Tag Archives: Symantec

Warning For Symantec Customers

As I have reported before, Symantec has had problems with its server SSL certificate business for years and was on double-super probation.  Symantec bought its certificate business mostly from Verisign in 2010 for about 1.2 billion dollars.  It also bought the certificate businesses of Thawte, Equifax and others

Last month it sold that business to Digicert, a move that was designed to preserve its equity.  It sold that business for $950 million plus a minority stake in Digicert.

But now the other shoe is dropping.

The reason Symantec was in trouble was that the browser vendors didn’t trust the security of the certificates that were issued before June 2016.

OK, so what is there to do.

First, each browser maker does its own thing.  Except, Chrome has the largest share of the browser market, so what Chrome does is more important than what anyone else does and, for the most part, everyone will follow what Chrome does in this case.

As of December 1 of this year, Chrome will no longer trust any NEW certificates issued by Symantec after this date.  That means that if your web server uses a Symantec certificate issued on December 2, when a user visits that site, Chrome will pop up a warning saying that the site is not to be trusted.

Starting with Chrome version 66 which should be released around April 1, 2018, no Symantec certificate issued before June 1, 2016 will be trusted.

Finally, When Chrome 70 is released in October 2018, NO Symantec certificates will be trusted at all.

So, for those of you webmasters that bought Symante certificates – for certificates bought before June 2016, you have until early next year to replace those server certificates and for those of you who bought Symantec certificates after June 2016, you have until late 2018 to replace your certificates.

Since most people buy certificates that last one, two or three years, some of this will be solved by attrition, but we were examining one certificate today that expires TEN years in the future.

If you don’t know what vendor your certificates came from please reach out to us and we will be happy to assist you.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

Browser Makers Doing What Needs to be Done – Finally

When you log on to a “secure” web site – one that that you access via HTTPS:// instead of HTTP:// , you do that because the web site bought a certificate from a certificate authority.  Those certificates work because the browsers – all of them – “trust” the makers of those certificates.

How do those certificate authorities become trusted?  The certificate authorities apply to each of the browser makers and those browser makers each decide who to trust.

If a browser or more than one browser decides to not trust a certificate authority, then any time a user goes to a web site that uses that vendor’s certificate they will get an error message saying the certificate is not trusted.  Every single time.

What that means is that if any of the major browser vendors don’t trust you, then you cannot sell your certificates.

If you look at any browser or computer, if you know where to look, you can find a list of all of the certificate authorities that the browser or computer trusts.  That used to be a handful of companies, but over time that has mushroomed to a ridiculous number, like 150 or more.  For some reason the browser makes have made it incredibly hard for Joe or Jane user to see what certificates are installed or to delete one of them.

There is a group called the CA/Browser Forum and they set standards for certificate authorities to follow.  The process of disciplining a CA can take years, but recently the CAB Forum started getting tough.

Two Chinese certificate authorities were not following the rules so the CAB Forum scolded them.  Then they didn’t change their actions.  So finally, one by one, the browsers started the process of the death sentence.  This week, the last major browser maker said that come September they are no longer going to trust certificates made by WoSign and StartCom.

Of course smart people would be asking why the <bleep> we were trusting security certificates from China in the first place.

My answer?  Beats me.  I guess they want to be inclusive.

I would appreciate it if they allowed me to make that decision.  But they figure that I am not smart enough to decide whether I want to trust certificates from China.

For a certificate authority, losing the trust of the browser makers is basically a death sentence – which is why they keep giving certificate authorities that screw up another chance.  Personally, I vote for ONE strike and you are out.

On a related front, one of the biggest U.S. certificate authorities, Symantec (formerly Verisign) just sold it’s certificate business to Digicert.

Symantec/Verisign has been in CAB Forum “time out” for a year or two now because of oopsies that they have made, like issuing certificates for Google.Com to someone other than Google and stuff like that.  Symantec has been given several chances to clean up their act but does not appear to be getting it right.  Fearing that they were going to go down the same path that WoSign went down and pour a billion plus dollar investment down the sewer, this week they sold that business for $950 million plus some stock, to Digicert.  This is good for users because Digicert is well respected, unlike Symantec.

So, while certificate authorities have, historically, received the death penalty like never, it appears that the browser makers have had their fill of it and ARE NOT GOING TO TAKE IT ANY MORE!!!

I hope this is the beginning of a trend.  I could do with maybe a dozen trusted certificate authorities.  That would be enough for me.  3 down, one hundred plus to go.

Information for this post came from ZDNet and eWeek.

Facebooktwitterredditlinkedinmailby feather

Symantec Issues More Unvalidated SSL Certificates

Symantec, who is already on probation for issuing inappropriate SSL certificates, issued more than a hundred additional “illegit” certificates.

SSL certificates – more technically TLS certificates – are the bits of technology required to make those “secure” web sites work.

Certificates are issued by certificate authorities (CAs) – organizations who have supposedly set up processes and controls to only issue certificates to, for example, the real owners of web sites, among many other rules.

There is a CA oversight board that actually has the authority to shut down CAs who do not follow the rules, but that almost never happens because it would put those companies out of business.

In this most recent case, Symantec was found to have issues at least 108 bogus certificates. 9 of the certificates were issued without the knowledge of the web site owner;  the rest were issued without proper validation.

Some of these bogus certificates were revoked quickly, but some were not.

Even after the certificates are revoked, there are many situations where the bogus certificates might still work in a browser.

This is the reason that there are many rules for CAs to follow.  Only, they don’t always do that.  It is highly unlikely that anything will happen to Symantec as a result of this second bogus certificate issue.  Last year, Symantec issued bogus certificates to Google, among other sites.  Those certificates would allow a hacker, for example, to create a fake GMail site and attract visitors to it.  Anyone who visited the fake site and logged in would have his or her GMail credentials compromised and give the attacker the ability to read all of his or her mail.

The Symantec owned CAs in question are Symantec Trust Network, GeoTrust and Thawte.

After Symantec’s mistake last year, Google required Symantec to log all certificates it issues in a “transparency log” – just so that researchers can check on them.  Whether all of the bogus certificates were caught or not is probably a subject to debate.  Google and the other major browser vendors that run the CA oversight board can dictate to the CAs what they have to do because the browsers have to accept the CA’s master key.  If Google or another browser vendor were to stop accepting Symantec’s master key – as they have done for the Chinese CA WoSign – then all of the certificates that they issue will generate an error message when a user tries to initiate an HTTPS session using that browser.

Given Symantec issues so many certificates, it could fall into the “too big to fail” category, making it hard for the CA oversight board (technically the CA/Browser Forum) to shut them down.

My suggestion is to use a different CA – there are lots of them.  Sending a message with your checkbook is always a prudent practice.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Symantec Anti Virus Security Problems Exposed

Anti Virus software has long been a concern of the security community.  While it endeavors to protect the user’s workstation, in order to do it’s job, it requires a lot of system level permissions.  This week, at least with Symantec, that came home to roost.

Tavis Ormandy a researcher from Google announced that he’d found numerous critical security vulnerabilities in Symantec’s suite of anti-virus software.  That suite covers 17 enterprise software products and 8 consumer and small business products.

While some of the bugs are simple, others are quite fatal and would allow an attacker to remotely control the user’s computer.

One bug would allow the attacker to take over an entire enterprise by just sending an infected file or malicious link – without the user ever doing anything.  This is because the anti-virus software has to open files and links when they arrive to see if they are malicious and that code has the flaws in it.

Ormandy says these flaws are “as bad as it gets“.  He is the guy who has made a career out of finding security holes in security software. His previous finds include FireEye, Kaspersky, McAfee, Sophos and Trend Micro – pretty much everyone in the anti-virus business and then some.

While we do not know how actively hackers and foreign governments are exploiting these vulnerabilities, they probably will now if they have not been doing so in the past.

What is not clear is how come these vulnerabilities exist.  After all, security companies, more than anyone else, should understand the problem of vulnerable software.  Yet, apparently, they do not.

Chris Wysopal of software testing vendor Veracode had a number of comments to make about the situation.  He thinks that at least some of these vulnerabilities would have been detected by the software testing products his company makes.

Symantec has now patched these vulnerabilities, but that doesn’t mean that customers have applied these patches.  It also doesn’t mean that there aren’t other vulnerabilities not yet detected.

And since most of this code from Symantec and other vendors like them runs with very high privileges, this software is more likely to put your system at risk than, say, a word processor.

At a minimum, everyone needs to make sure that their anti-virus software is patched as soon as the patches are released.  When they are released to you, they will be released to the hackers as well.

Ormandy says that maybe the anti-virus vendors did not understand that they had a problem, but I have a hard time believing that.  More likely, they figured that they could get away with not spending too much effort at testing their software.  Mr. Ormandy is on a  mission to prove that theory wrong and I think he is doing pretty good at that mission.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather