Delaying Further Symantec TLS Certificate Distrust

If you look at the de-facto vulnerability disclosure standards where a company is contacted with details of a vulnerability and a timeline in which to fix it privately before the security researcher goes public, you'll see that a hard stance gets things fixed properly. How many times has a company ignored the timeline, only to have the vulnerability fixed within hours of of it going public? These companies are capable of fixing this cert issue, and are being lazy. They have been warned, and have been given a generous deadline. Zero sympathy for missing it and suffering the consequences. Empty consequences will only teach them to ignore future problems.

So these 1% sites make Mozilla&#x27;s certificate revocation plan &#x27;Too big to fail list&#x27;? Sounds like a bad security plan. You are only as strong as your weakest link.<p>Why is TLS 1.0 and 1.1 still enabled by default in Mozilla? More of the same. Big players don&#x27;t want to tighten up.

One can always go to about:config and set security.pki.distrust_ca_policy to &quot;2&quot; to distrust Symantec TLS certificates. Reference: <a href="https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2018&#x2F;07&#x2F;30&#x2F;update-on-the-distrust-of-symantec-tls-certificates&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2018&#x2F;07&#x2F;30&#x2F;update-on-the-d...</a>

<i>&quot;our latest data shows well over 1% of the top 1-million websites are still using a Symantec certificate that will be distrusted&quot;</i><p>Is there a list somewhere? I&#x27;m curious to see which organizations missed what happened with Symantec.<p>Edit: Answering my own question. Found a list: <a href="https:&#x2F;&#x2F;scotthelme.co.uk&#x2F;the-final-symantec-distrust-is-coming&#x2F;" rel="nofollow">https:&#x2F;&#x2F;scotthelme.co.uk&#x2F;the-final-symantec-distrust-is-comi...</a> There are a few I recognize, like solidworks.com, ferrari.com, and quite a lot of <i>.gov.</i> sites.

&gt; However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users.<p>If they haven&#x27;t already, what reason is there to believe this delay will make them? Just curious if there is another catalyst that will push them beyond cert expiration.

Brand impact: If you think you use SSL&#x2F;TLS certificates from &quot;Thawte&quot;, &quot;GeoTrust&quot; or &quot;Verisign&quot; those are all Symantec. You need to pay attention and go read instructions from your reseller or issuer to find out what you need to do. Do it today.<p>In a few cases your systems might desperately care about those magic brand names, and DigiCert (who now own all these brands) can sort you out if this is the case. In most cases you don&#x27;t need to worry, just follow instructions.

&gt;We prioritize the safety of our users<p>&gt;However, given the current situation<p>&quot;We march North!&quot; says man marching South.

Is Chrome delaying too? M70 is supposed to contain the distrust change, and last I heard it&#x27;s scheduled for an October 16 release.

Oh no. I was expecting Mozilla to follow through and then use the fallout as a way to bring attention to the issue and use it as a marketing item for Firefox as a &quot;more secure&quot; browser.

To test Chrome with the new behavior, launch with the following command line flags:<p><pre><code> $ google-chrome --flag-switches-begin --enable-features=LegacySymantecPKI --flag-switches-end </code></pre> Feature flags are global, so make sure that you are launching a new instance of chrome and not opening a new window in an existing instance. Note that a domain&#x27;s certificate validation status is cached, so you may need to clear history or use incognito mode to test the new business logic.<p>If you need to re-enable the old behavior after version M70 is released, use the following command line flags:<p><pre><code> $ google-chrome --flag-switches-begin --disable-features=LegacySymantecPKI --flag-switches-end </code></pre> These command line flags are undocumented and may change at any time.

&gt; We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users.<p>It would be nice if the sites were mentioned and contact information posted.<p>It would be nicer if that information was mentioned directly to the end-user to encourage end-user action toward the site.<p>And, is it not possible that the sites are fraudulent to begin with?

I&#x27;ve seen this issue in Firefox Nightly when trying to perform the HSBC UK credit card verification, so it makes sense not to roll it out to the wider public yet.

link timing out for me, from archive.org:<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20181010180016&#x2F;https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2018&#x2F;10&#x2F;10&#x2F;delaying-further-symantec-tls-certificate-distrust&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20181010180016&#x2F;https:&#x2F;&#x2F;blog.mozi...</a>

Thameswater in the UK still hasn’t rotated their certificates.

This actually shouldn&#x27;t be something that a company that is giving away a product should even be enforcing or deciding on their own. Reason? It makes the assumption that end users are not willing to accept that in rare cases their traffic can be intercepted and it further assumes that it matters at all if that traffic is even intercepted. And most importantly it fails to recognize the impact of making a unilateral decision like this has on those who are not impacted at all. Like some random small site (not a top 1m site) that is just providing info and now either has to pay someone to fix and&#x2F;or can&#x27;t have a visitor to view their site.<p>Even in the case of credit card information (or other sensitive data) I would love to know exactly what the probability is of info being stolen. Not hypothetically. But the actual risk.<p>This idea of &#x27;security at all costs&#x27; without looking at the actual cost and&#x2F;or implementation is not realistic at all and can do more harm (some site not being accessible) than good.