[jasode]

>Symantec will start a negative PR campaign, leading its users to yell at google to change things,

It seems Google has the leverage, not Symantec.

A PR awareness campaign is out-of-band information that's separate from the web surfer actually navigating to a site. Millions of users would see a scary message similar to "This site's security certificate is not trusted!"[1].

To prevent scary security popups, which is more likely?

1) The website owners abandon Symantec and switch to a Certificate Authority not flagged by Chrome

or

2) Users get "educated" on Symantec's side of the story and manually add Symantec as a trusted root certificate. (Some can switch browsers but for many non-techies, that's a pain because they have all their bookmarks in Chrome -- and migrating them on mobile phone is not obvious.)

[1] https://www.google.com/search?q=google+chrome+this+site%27s+...

[ergothus]

or

3) Large websites using Symantec certs start telling users Chrome is "broken" and we find out if users will switch browsers, not care about the security, and/or complain to the sites.

I definitely find any variation of #3 to be more likely than #2. I see it as a battle between #1 and #3.

[jasode]

>Large websites using Symantec certs start telling users Chrome is "broken"

I'm having a hard time thinking of a scenario where a large website concludes it's cheaper to convince web shoppers at ecommerce sites and web visitors at news sites to switch to Firefox/IE instead of the website just switching CA vendors.

If you're a website that wants to put up zero friction between buyers submitting their credit-card info and pay you money, why try to "educate" them? If you're a website that wants visitors to see your ads next to your journalists' stories, why make it more difficult than it has to be? Does Symantec as a CA offer up extra benefits that no other CA has such that it makes sense to "train" web visitors to switch browsers?

Of the millions of non-geeks that use Android phones, what % download and use Firefox instead of the default Chrome browser?

[gcp]

This line of reasoning works for banks or commercial entities.

But note, it does not work for governments. They can, and will, put up a red banner instructing the user to install another browser (or in case of Firefox 52, explain how to disable updates so you can keep using NPAPI plugins).

[jasode]

Interesting point. I spot checked CAs for some of the most popular USA government websites.

irs.gov (Internal Revenue Service): Entrust CA

va.gov (Veterans Affairs) : Symantec CA

So if Symantec is the CA for a critical mass of government websites that won't abandon them, Google Chrome could lose this battle.

Without looking at traffic data (e.g Alexa), my intuition says the vast majority of web traffic is not government websites. If Veterans Affairs forces user to switch browsers, I'm guessing people would still use their Chrome browser for all the other websites because that's where all their bookmarks live.

As for non-government websites, I notice that Netflix.com currently has a Symantec Class 3 CA. I'm guessing Netflix would rather switch to another CA.

[gcp]

I believe it is actually a matter of political campaigning in South Korea to get rid of ancient IE ActiveX requirements for government websites.

[rspeer]

It's not just government websites, it's requirements that the government placed on all e-commerce sites in South Korea.

[tialaramex]

The US Federal Government has stated a long term plan to operate a CA in the Web PKI, because after all it does operate a whole shitload of web sites, and it has secure buildings and trustworthy employees needed to run the CA. Like some other government-owned CAs it has offered up front to limit its CA to a TLD it controls anyway (in this case gov) so it won't be offering certificates to the general public.

They don't have a formal proposal yet, such proposals take anywhere from 6-18 months to process once they come out, and so the IRS or Veterans Affairs won't be getting new certificates from them in 2017, but in 2018 that's definitely a possibility.

Of course, a US Federal Government CA in the Web PKI would be problematic for Google, Apple, Microsoft or Mozilla (all US corporations) to distrust later if things go wrong, this is doubtless why they ask to limit to one TLD, defusing concerns in advance...

[caf]

Mozilla has also been putting the hard word on Symantec over this issue, I don't think they'll be too far behind Chromium in taking action.

[phaed]

How will these websites communicate #3? Through the blocked website?

[CountSessine]

Wouldn't they just do what all browser-version-specific websites have done in the past and have an http landing page with a conditional redirect? User agent is IE6, and you progress to ie6.bankofamerica.com. User agent is Chrome/Firefox, progress to webpage with browser version warning and download link for IE6.

[tedunangst]

Maybe after their HSTS header expires. What do they do until then? Or for all the users with https bookmarks?

[CountSessine]

Well, just looking at the Bank of America example, they don't seem to use HSTS in their landing page. How widespread is HSTS? How long is the expiry period typically set for (I would guess a long time?)

Does anyone still use browser bookmarks?

Actually, just thinking about it, it might be even simpler than this. If Bank of America wanted to, couldn't they still host their redirect landing page over SSL with a valid non-Symantec certificate, and then redirect to the ie6.bankofamerica.com page which will continue to use the bad Symantec cert? If switching certs for their web infrastructure was really difficult and they didn't want to do it, they could just build a simple little front-end web server with a valid certificate to redirect people to an IE6 download page or ie6.bankofamerica.com.

[ergothus]

> Does anyone still use browser bookmarks?

This made me cry a little. But on a more serious note, every existing link on the Web is essentially a bookmark, so I don't think we can ignore that when discussing impact. (Though I'm betting all incoming requests could be rerouted more easily than telling your customers to (and how to) install a cert...)

[Shanea93]

HSTS is currently used by 2.8% of all websites, up from 1.2% this time last year. [1] If people are using Qualys SSL Labs tool to check their "grade", they won't be awarded an A+ grade unless their HSTS max-age is at least 6 months [2], so I'm going to assume the average is somewhere close to that due to how common usage of that tool is.

My grandma still uses browser bookmarks, but I have no none-anecdotal source for this.

BoA could absolutely do all the things you just mentioned, but all of them are more difficult than simply replacing their certificate using Comodo or some other trusted root CA.

[1] https://w3techs.com/technologies/details/ce-hsts/all/all

[2] https://community.qualys.com/thread/15972

[tedunangst]

Obviously they get another cert, but only serve it to chrome users via SSL handshake fingerprinting, and serve the Symantec cert to everybody else...

[wtetzner]

I can't tell if you're joking.

Just in case you're not, if they went through all the trouble to get another cert for Chrome, why wouldn't they just use it for everyone?

[agwa]

I suspect it was a joke, but you raise a very important question. Unfortunately, some clients (likely embedded devices) trust only Symantec roots, since that's the CA the website was using at the time the developer slapped together their code.

[tajen]

or

4) Banks require Chrome 55, "here's a download", good thing it's open-source, and we get the IE6 story again.