Pretty much it will decide the question on whether or not the certificate system is even workable. My thesis is that either Symantec will not be able to respond (and so lose their ability to be a root certificate) in which case it will warn other root cert authorities to shape up or lose their business, or they will placate the Google and Chromium teams somehow and show that root cert authorities can be brought to bear.
Or they will ignore Google, continue to create bad certs, and users will start getting instructed by sites that they have to manually add a root certificate in order to use they site, and the entire ecosystem will collapse.
Sans maybe spear phishers, spam campaigns aren't generally ran by oppressive governments. MiTM certs with bogus certs absolutely are, and could result in jail / death.
Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?
I'd much rather be able to say -- 'no, never manually trust a cert', instead of 'well, ok, for now yes in this one case if you're sure there's no typos in the URL... What? Yeah, the text at the top in the little bar... argh'.
I hope I'm missing something here, but even better I hope Symantec and banks get their acts together.
Could actually dodgy sites then imitate bank websites, ask the same of users and then commit a MITM attack?
Technically, certificate pinning etc can prevent this, but in practice, yes, this is a possible attack vector.
But it has little to do with CA validation. If the user understands how to verify the domain and security of the connection the attack doesn't work, and if he doesn't, the Google vs Symantec situation makes no difference either.
That's a good insight. Apple and Mozilla don't seem to mind making big decisions for their users on behalf of perceived security threats either, so I imagine only Edge will hold out for long time. Google probably won't lose any market share over this.
I think it's likelier that Symantec will start a negative PR campaign, leading its users to yell at google to change things, perhaps calling this FUD. Whether that'll be effective is another question.
>Symantec will start a negative PR campaign, leading its users to yell at google to change things,
It seems Google has the leverage, not Symantec.
A PR awareness campaign is out-of-band information that's separate from the web surfer actually navigating to a site. Millions of users would see a scary message similar to "This site's security certificate is not trusted!"[1].
To prevent scary security popups, which is more likely?
1) The website owners abandon Symantec and switch to a Certificate Authority not flagged by Chrome
or
2) Users get "educated" on Symantec's side of the story and manually add Symantec as a trusted root certificate. (Some can switch browsers but for many non-techies, that's a pain because they have all their bookmarks in Chrome -- and migrating them on mobile phone is not obvious.)
3) Large websites using Symantec certs start telling users Chrome is "broken" and we find out if users will switch browsers, not care about the security, and/or complain to the sites.
I definitely find any variation of #3 to be more likely than #2. I see it as a battle between #1 and #3.
>Large websites using Symantec certs start telling users Chrome is "broken"
I'm having a hard time thinking of a scenario where a large website concludes it's cheaper to convince web shoppers at ecommerce sites and web visitors at news sites to switch to Firefox/IE instead of the website just switching CA vendors.
If you're a website that wants to put up zero friction between buyers submitting their credit-card info and pay you money, why try to "educate" them? If you're a website that wants visitors to see your ads next to your journalists' stories, why make it more difficult than it has to be? Does Symantec as a CA offer up extra benefits that no other CA has such that it makes sense to "train" web visitors to switch browsers?
Of the millions of non-geeks that use Android phones, what % download and use Firefox instead of the default Chrome browser?
This line of reasoning works for banks or commercial entities.
But note, it does not work for governments. They can, and will, put up a red banner instructing the user to install another browser (or in case of Firefox 52, explain how to disable updates so you can keep using NPAPI plugins).
Interesting point. I spot checked CAs for some of the most popular USA government websites.
irs.gov (Internal Revenue Service): Entrust CA
va.gov (Veterans Affairs) : Symantec CA
So if Symantec is the CA for a critical mass of government websites that won't abandon them, Google Chrome could lose this battle.
Without looking at traffic data (e.g Alexa), my intuition says the vast majority of web traffic is not government websites. If Veterans Affairs forces user to switch browsers, I'm guessing people would still use their Chrome browser for all the other websites because that's where all their bookmarks live.
As for non-government websites, I notice that Netflix.com currently has a Symantec Class 3 CA. I'm guessing Netflix would rather switch to another CA.
The US Federal Government has stated a long term plan to operate a CA in the Web PKI, because after all it does operate a whole shitload of web sites, and it has secure buildings and trustworthy employees needed to run the CA. Like some other government-owned CAs it has offered up front to limit its CA to a TLD it controls anyway (in this case gov) so it won't be offering certificates to the general public.
They don't have a formal proposal yet, such proposals take anywhere from 6-18 months to process once they come out, and so the IRS or Veterans Affairs won't be getting new certificates from them in 2017, but in 2018 that's definitely a possibility.
Of course, a US Federal Government CA in the Web PKI would be problematic for Google, Apple, Microsoft or Mozilla (all US corporations) to distrust later if things go wrong, this is doubtless why they ask to limit to one TLD, defusing concerns in advance...
Wouldn't they just do what all browser-version-specific websites have done in the past and have an http landing page with a conditional redirect? User agent is IE6, and you progress to ie6.bankofamerica.com. User agent is Chrome/Firefox, progress to webpage with browser version warning and download link for IE6.
Well, just looking at the Bank of America example, they don't seem to use HSTS in their landing page. How widespread is HSTS? How long is the expiry period typically set for (I would guess a long time?)
Does anyone still use browser bookmarks?
Actually, just thinking about it, it might be even simpler than this. If Bank of America wanted to, couldn't they still host their redirect landing page over SSL with a valid non-Symantec certificate, and then redirect to the ie6.bankofamerica.com page which will continue to use the bad Symantec cert? If switching certs for their web infrastructure was really difficult and they didn't want to do it, they could just build a simple little front-end web server with a valid certificate to redirect people to an IE6 download page or ie6.bankofamerica.com.
This made me cry a little. But on a more serious note, every existing link on the Web is essentially a bookmark, so I don't think we can ignore that when discussing impact. (Though I'm betting all incoming requests could be rerouted more easily than telling your customers to (and how to) install a cert...)
HSTS is currently used by 2.8% of all websites, up from 1.2% this time last year. [1] If people are using Qualys SSL Labs tool to check their "grade", they won't be awarded an A+ grade unless their HSTS max-age is at least 6 months [2], so I'm going to assume the average is somewhere close to that due to how common usage of that tool is.
My grandma still uses browser bookmarks, but I have no none-anecdotal source for this.
BoA could absolutely do all the things you just mentioned, but all of them are more difficult than simply replacing their certificate using Comodo or some other trusted root CA.
BoA could absolutely do all the things you just mentioned, but all of them are more difficult than simply replacing their certificate using Comodo or some other trusted root CA.
That depends on the design of the site and their business policies. I agree though - for any sensible organization switching certs is going to be easier. But if that was really the case here, why were they asking Symantec for special favours?
I suspect it was a joke, but you raise a very important question. Unfortunately, some clients (likely embedded devices) trust only Symantec roots, since that's the CA the website was using at the time the developer slapped together their code.
To which the response will inevitably be "Communication with the bank can't be trusted" and many people will read as "The bank can't be trusted". I think people will quickly come to the conclusion that the stakes are much higher for them if the bank can't be trusted when they have their money there, compared to the browser being too assertive, and will just move their money. Without definitive knowledge or a good understanding of all the intricacies, that's the safe decision.
Banks know this. Like the CA system, the whole banking system only functions because of trust, and in the US that trust is backed by the government. They aren't going to let that erode. Regardless of whether all their back-end certs get updated, their customer facing ones will if needed.
The PR campaign won't be targeting users, it'll be targeting business/site owners. A user might be annoyed that random sites stop working, but the people who operate those sites will see their traffic fall off a cliff.
The only effective solution to stop the pain will be to switch to a new cert as quickly as possible, and that only hurts Symantec, not Google
Yes. You can't just jeopardize a substantial portion of a large company's revenue stream like this and not expect retaliation. Guaranteed that unless the executive team steps in to reverse this, Google has made itself a few powerful enemies.
Google is playing with fire here. I would expect Symantec and other major business who stand to be negatively affected, especially the extremely large ones that Symantec was accommodating by skirting some of the EV rules, will immediately start pushing for regulations around this process. That's the easiest way for large companies to control this kind of thing.
It is workable. This gets brought up every time we have an issue like this. The problem is that existing CA's keep fucking up. But the system is clearly working: bad CA's get excluded.
I think the likely result here is more widespread adoption of LE. The point is that CA's shouldn't be businesses.
Maybe, but in the meantime I can't imagine a scenario where such a direct financial threat to a business isn't vigorously defended by Symantec. I'm not a lawyer, but certainly they must be working to determine if they have a legal basis for seeking an injunction against Google. They could even be building some sort of legal theory based on tortious business interference, contending that Google is doing irreparable harm by trying to come between Symantec and the expectations of its paying customers.
> Or they will ignore Google, continue to create bad certs, and users will start getting instructed by sites that they have to manually add a root certificate in order to use they site, and the entire ecosystem will collapse.
IIRC that's Amazon's answer to 'how should a user install Amazon Prime on Android?' I don't know how successful they've been convincing users to allow installation of untrusted apps (I certainly haven't done it), but … probably more than a few have done it.
Installing apps from other stores on Android is literally a checkbox away - but installing new root certs on computers is considerably harder, or impossible if your computer is locked-down (group policy, etc).
And it's really not the sort of thing your average non-technical user is likely to do - and trust me, having supported these users before, it's likely to go horribly wrong if you try providing steps for them.
Or they will ignore Google, continue to create bad certs, and users will start getting instructed by sites that they have to manually add a root certificate in order to use they site, and the entire ecosystem will collapse.