[ChuckMcM]

Pretty much it will decide the question on whether or not the certificate system is even workable. My thesis is that either Symantec will not be able to respond (and so lose their ability to be a root certificate) in which case it will warn other root cert authorities to shape up or lose their business, or they will placate the Google and Chromium teams somehow and show that root cert authorities can be brought to bear.

Or they will ignore Google, continue to create bad certs, and users will start getting instructed by sites that they have to manually add a root certificate in order to use they site, and the entire ecosystem will collapse.

[SEJeff]

Remember google has chrome AND android. I think they're big enough to win this battle if it comes down to that. Symantec is at the clear disadvantage.

[cpncrunch]

>Symantec is at the clear disadvantage.

I'm not sure how they are at a disadvantage if they have supplied 30% of in-use certificates, and are responsible for 42% of all validations.

While I don't condone Symantec's behaviour, I think google is being a bit hypocritical here. Have you ever tried reporting gmail spammers to google?

[SEJeff]

Sans maybe spear phishers, spam campaigns aren't generally ran by oppressive governments. MiTM certs with bogus certs absolutely are, and could result in jail / death.

EFF ftw!

https://ssd.eff.org/

[cpncrunch]

I'm simply pointing out that both companies seem to think they can do what they want, due to having such large market share.

Do we know that Symantec is being malicious, or just lazy like Google's response to spam?

[williamscales]

This is a real security issue and spam isn't.

[gcp]

users will start getting instructed by sites that they have to manually add a root certificate in order to use they site

Or switch browsers. Google needs to (and will) play this so it ends up being unattractive for other browser vendors not to distrust Symantec as well.

[ballenf]

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

I'd much rather be able to say -- 'no, never manually trust a cert', instead of 'well, ok, for now yes in this one case if you're sure there's no typos in the URL... What? Yeah, the text at the top in the little bar... argh'.

I hope I'm missing something here, but even better I hope Symantec and banks get their acts together.

[gcp]

Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?

Technically, certificate pinning etc can prevent this, but in practice, yes, this is a possible attack vector.

But it has little to do with CA validation. If the user understands how to verify the domain and security of the connection the attack doesn't work, and if he doesn't, the Google vs Symantec situation makes no difference either.

[kakarot]

That's a good insight. Apple and Mozilla don't seem to mind making big decisions for their users on behalf of perceived security threats either, so I imagine only Edge will hold out for long time. Google probably won't lose any market share over this.

[makmanalp]

I think it's likelier that Symantec will start a negative PR campaign, leading its users to yell at google to change things, perhaps calling this FUD. Whether that'll be effective is another question.

[jasode]

>Symantec will start a negative PR campaign, leading its users to yell at google to change things,

It seems Google has the leverage, not Symantec.

A PR awareness campaign is out-of-band information that's separate from the web surfer actually navigating to a site. Millions of users would see a scary message similar to "This site's security certificate is not trusted!"[1].

To prevent scary security popups, which is more likely?

1) The website owners abandon Symantec and switch to a Certificate Authority not flagged by Chrome

or

2) Users get "educated" on Symantec's side of the story and manually add Symantec as a trusted root certificate. (Some can switch browsers but for many non-techies, that's a pain because they have all their bookmarks in Chrome -- and migrating them on mobile phone is not obvious.)

[1] https://www.google.com/search?q=google+chrome+this+site%27s+...

[ergothus]

or

3) Large websites using Symantec certs start telling users Chrome is "broken" and we find out if users will switch browsers, not care about the security, and/or complain to the sites.

I definitely find any variation of #3 to be more likely than #2. I see it as a battle between #1 and #3.

[jasode]

>Large websites using Symantec certs start telling users Chrome is "broken"

I'm having a hard time thinking of a scenario where a large website concludes it's cheaper to convince web shoppers at ecommerce sites and web visitors at news sites to switch to Firefox/IE instead of the website just switching CA vendors.

If you're a website that wants to put up zero friction between buyers submitting their credit-card info and pay you money, why try to "educate" them? If you're a website that wants visitors to see your ads next to your journalists' stories, why make it more difficult than it has to be? Does Symantec as a CA offer up extra benefits that no other CA has such that it makes sense to "train" web visitors to switch browsers?

Of the millions of non-geeks that use Android phones, what % download and use Firefox instead of the default Chrome browser?

[gcp]

This line of reasoning works for banks or commercial entities.

But note, it does not work for governments. They can, and will, put up a red banner instructing the user to install another browser (or in case of Firefox 52, explain how to disable updates so you can keep using NPAPI plugins).

[jasode]

Interesting point. I spot checked CAs for some of the most popular USA government websites.

irs.gov (Internal Revenue Service): Entrust CA

va.gov (Veterans Affairs) : Symantec CA

So if Symantec is the CA for a critical mass of government websites that won't abandon them, Google Chrome could lose this battle.

Without looking at traffic data (e.g Alexa), my intuition says the vast majority of web traffic is not government websites. If Veterans Affairs forces user to switch browsers, I'm guessing people would still use their Chrome browser for all the other websites because that's where all their bookmarks live.

As for non-government websites, I notice that Netflix.com currently has a Symantec Class 3 CA. I'm guessing Netflix would rather switch to another CA.

[caf]

Mozilla has also been putting the hard word on Symantec over this issue, I don't think they'll be too far behind Chromium in taking action.

[phaed]

How will these websites communicate #3? Through the blocked website?

[CountSessine]

Wouldn't they just do what all browser-version-specific websites have done in the past and have an http landing page with a conditional redirect? User agent is IE6, and you progress to ie6.bankofamerica.com. User agent is Chrome/Firefox, progress to webpage with browser version warning and download link for IE6.

[tedunangst]

Maybe after their HSTS header expires. What do they do until then? Or for all the users with https bookmarks?

[tedunangst]

Obviously they get another cert, but only serve it to chrome users via SSL handshake fingerprinting, and serve the Symantec cert to everybody else...

[wtetzner]

I can't tell if you're joking.

Just in case you're not, if they went through all the trouble to get another cert for Chrome, why wouldn't they just use it for everyone?

[tajen]

or

4) Banks require Chrome 55, "here's a download", good thing it's open-source, and we get the IE6 story again.

[kbenson]

To which the response will inevitably be "Communication with the bank can't be trusted" and many people will read as "The bank can't be trusted". I think people will quickly come to the conclusion that the stakes are much higher for them if the bank can't be trusted when they have their money there, compared to the browser being too assertive, and will just move their money. Without definitive knowledge or a good understanding of all the intricacies, that's the safe decision.

Banks know this. Like the CA system, the whole banking system only functions because of trust, and in the US that trust is backed by the government. They aren't going to let that erode. Regardless of whether all their back-end certs get updated, their customer facing ones will if needed.

[Canada]

It would be pointless. Who would listen?

The general public doesn't care about inside baseball. Site operators can't afford not to work perfectly with Chrome.

[fooey]

The PR campaign won't be targeting users, it'll be targeting business/site owners. A user might be annoyed that random sites stop working, but the people who operate those sites will see their traffic fall off a cliff.

The only effective solution to stop the pain will be to switch to a new cert as quickly as possible, and that only hurts Symantec, not Google

[cookiecaper]

Yes. You can't just jeopardize a substantial portion of a large company's revenue stream like this and not expect retaliation. Guaranteed that unless the executive team steps in to reverse this, Google has made itself a few powerful enemies.

Google is playing with fire here. I would expect Symantec and other major business who stand to be negatively affected, especially the extremely large ones that Symantec was accommodating by skirting some of the EV rules, will immediately start pushing for regulations around this process. That's the easiest way for large companies to control this kind of thing.

[tracker1]

"Norton Security Browser" a new free browser with internet security baked in...

[IgorPartola]

It is workable. This gets brought up every time we have an issue like this. The problem is that existing CA's keep fucking up. But the system is clearly working: bad CA's get excluded.

I think the likely result here is more widespread adoption of LE. The point is that CA's shouldn't be businesses.

[tracker1]

Mostly agreed... for the most part, EV certs are meaningless to most people. Wether it's LE, or otherwise.

[endgame]

> brought to bear

I think the idiom you want is "brought to heel".

[bashcoder]

Maybe, but in the meantime I can't imagine a scenario where such a direct financial threat to a business isn't vigorously defended by Symantec. I'm not a lawyer, but certainly they must be working to determine if they have a legal basis for seeking an injunction against Google. They could even be building some sort of legal theory based on tortious business interference, contending that Google is doing irreparable harm by trying to come between Symantec and the expectations of its paying customers.

[NickNameNick]

That seems unlikely if Symantec have indeed violated the CA/B Forum Baseline Requirements that they already agreed to.

[zeveb]

> Or they will ignore Google, continue to create bad certs, and users will start getting instructed by sites that they have to manually add a root certificate in order to use they site, and the entire ecosystem will collapse.

IIRC that's Amazon's answer to 'how should a user install Amazon Prime on Android?' I don't know how successful they've been convincing users to allow installation of untrusted apps (I certainly haven't done it), but … probably more than a few have done it.

[DaiPlusPlus]

Installing apps from other stores on Android is literally a checkbox away - but installing new root certs on computers is considerably harder, or impossible if your computer is locked-down (group policy, etc).

[wiml]

Installing new roots on Macs, iOS, and Android devices is really easy. It's mildly inconvenient on Linux desktops.

[victorhooi]

It's actually no longer possible on Android, without jumping through significant hoops:

https://android-developers.googleblog.com/2016/07/changes-to... https://news.ycombinator.com/item?id=12061320 https://github.com/mitmproxy/mitmproxy/issues/2054

And it's really not the sort of thing your average non-technical user is likely to do - and trust me, having supported these users before, it's likely to go horribly wrong if you try providing steps for them.

[tracker1]

I did it... mainly for amazon's own apps.