With Chrome 70, hundreds of popular websites are about to break

Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

On 2018-10-09, anon wrote:
Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

The security certificate provider Symantec proved to be highly insecure and
incompetent, and you blame Google for removing them from its list of
trusted security certificate providers?
Your committment to security is noted.

It happens that William Unruh formulated :
On 2018-10-09, anon wrote:
Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

The security certificate provider Symantec proved to be highly
insecure and incompetent, and you blame Google for removing them from
its list of trusted security certificate providers?
Your committment to security is noted.

Google is also culpable. But I am happy to see that I have offended
a Google employee.

On 09/10/2018 18.35, anon wrote:
It happens that William Unruh formulated :
On 2018-10-09, anon wrote:
* Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

The security certificate provider Symantec proved to be highly
insecure and incompetent, and you blame Google for removing them from
its list of trusted security certificate providers? Your committment
to security is noted.

*Google is also culpable.* But I am happy to see that I have offended a
Google employee.

In what exactly is google culpable about this certificate issue?

--
Cheers, Carlos.

On 9/10/18 15:41, anon wrote:
*Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

You do realize that Symantec was just allowing third parties to issue
certificates without the required overview? In essence, that just breaks
all the trust in the whole CA system (which has always been broken to
begin with, but, okay).

I'm not a fan of google, but here they actually do the right thing for once.

On 10/09/2018 07:41 AM, anon wrote:
*Google, what a pal!

I've heard that Firefox, Internet Explorer, and I think Safari, are also
dropping Symmantec's root CA.

This is not just Google being evil.



--
Grant. . . .
unix || die

On 2018-10-09, Carlos E.R. wrote:
On 09/10/2018 18.35, anon wrote:
It happens that William Unruh formulated :
On 2018-10-09, anon wrote:
Â* Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

The security certificate provider Symantec proved to be highly
insecure and incompetent, and you blame Google for removing them from
its list of trusted security certificate providers? Your committment
to security is noted.

Â*Google is also culpable.Â* But I am happy to see that I have offended a
Google employee.

In what exactly is google culpable about this certificate issue?


And who is this Google employee you have offended?

On 10/9/18 10:40 PM, Grant Taylor wrote:
On 10/09/2018 07:41 AM, anon wrote:
Â*Â*Google, what a pal!

I've heard that Firefox, Internet Explorer, and I think Safari, are also
dropping Symmantec's root CA.

Yes, Mozilla will also drop support for Symantec root CA certificates as
indicated in the following blog post:

https://blog.mozilla.org/security/20...-certificates/


This is not just Google being evil.

The evil party is Symantec and no one else and if you won't be able to
access a site, then you know the one running the site don't care about
your privacy.


--

//Aho

On 10/09/2018 03:17 PM, J.O. Aho wrote:
… you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed. I wish I had known!!!" after
browsers drop support for the Symantec CA.



--
Grant. . . .
unix || die

In article
William Unruh wrote:

On 2018-10-09, Carlos E.R. wrote:
On 09/10/2018 18.35, anon wrote:
It happens that William Unruh formulated :
On 2018-10-09, anon wrote:
 Google, what a pal!

https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

The security certificate provider Symantec proved to be highly
insecure and incompetent, and you blame Google for removing them from
its list of trusted security certificate providers? Your committment
to security is noted.

 Google is also culpable. But I am happy to see that I have offended a
Google employee.

In what exactly is google culpable about this certificate issue?


And who is this Google employee you have offended?

The evil voices in his head?

On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.
If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

--

//Aho

On 10/10/2018 06.45, J.O. Aho wrote:
On 10/10/18 12:18 AM, Grant Taylor wrote:
On 10/09/2018 03:17 PM, J.O. Aho wrote:
then you know the one running the site don't care about your privacy.

I disagree.

I've run into *WAY* too many … barely competent (I'm being nice)
webmasters that don't know that they need to change the TLS certificate.

Their competency level does not directly correlate / translate to them
not caring about your privacy.

I'd bet that a lot of them will say something along the lines of "Oh
REDACTED! I need to get this changed.Â* I wish I had known!!!" after
browsers drop support for the Symantec CA.

I would say it's a poor excuse, the information has been shared by the
browser maintainers for a long time.

And you assume that they read those? Why?
Me, I found out this week.

If you manage to miss this for a such long time, you don't really care
about anything, you just have a certificate as everyone else has it or
there is a regulation that mandates you to have one without really
knowing why. IMHO it's the same as not caring.

No, I do not agree.

--
Cheers, Carlos.

"Grant Taylor" wrote

| . you know the one running the site don't care about your privacy.
|
| I disagree.
|
| Their competency level does not directly correlate / translate to them
| not caring about your privacy.
|

That's true, but it doesn't change the fact that
he's correct in general. Look at any website you
normally visit. It's very likely there's at least code
there for Google tracking, and probably code for
Google ads. In most cases there are completely
unnecessary fonts and scripts pulled in from
elsewhere. And often there are tracker spyware
beacons from the likes of scorecardresearch.com.

You could say that those webmasters care about
your privacy and just don't know any better, but
that's really not tenable. Anyone who knows enough
to paste in Google tracking code has a basic idea
of what's going on. *They don't care about your
privacy.* They'd probably start yapping about
tinfoil hats if you even mentioned it to them.
It's a simple case of smallmindedness. They can't
be bothered to really think about what they're doing.
They're just trying to make snazzy sites and get
paid as much as possible. They can get paid more if
they sell you out to Google. And like any smallminded
person, they justify that in their own minds by
thinking, "So what? Everyone's doing it." If anyone
wants to make them think about what they're
doing, they drown it out with, "TINFOIL HAT!"

In the process, they play into corporate tracking
by jumping on every halfwit javascript bandwagon
that hobbles by. "71 dynamically loaded fonts that
all look the same? What a great idea! How can I do
that? Load Google slop remotely? Count me in! That is
sooooo cooool!"

Last night I visited a site I found in a Michael
Pollan book: csp.org. Council on Spiritual Practices.
They're some kind of clearing house for ideas about
psychedelic drugs and religious experience. Sounded
interesting. It's people who want to experience life
more fully, deeply and joyfully. And they think there
might be a correlation between what chemicals like
psilocybin do and what advanced meditation
techniques do. A bit of a 60s, consumer-goes-
shopping-for-spirituality-on-sale rehash. But I was
curious what they're up to. Ironically, their webpage
was entirely broken. Entirely unnecessarily. And they
don't care about your privacy.

They pull in a 4.4 MB js file just to do basic things
like load pages from an anchor tag. The internal
links don't work without script! The script is coming
from Cloudfront. They also have Google-Analytics code.
So both Google and Amazon would be tracking me if
I allowed script.

The https might be stopping my ISP from reading
the page I visit, but Google and Amazon are infesting
the page unnecessarily!

....On the other hand, why are Chrome users talking
about privacy? Worrying about https in Chrome, aside
from sites where you give out a credit card number, is
like alcoholics worrying about whether coffee might
cause liver damage. Can you say "denial"?

"Carlos E.R." wrote

| If you manage to miss this for a such long time, you don't really care
| about anything, you just have a certificate as everyone else has it or
| there is a regulation that mandates you to have one without really
| knowing why. IMHO it's the same as not caring.
|
| No, I do not agree.
|

If you bought the certificate directly then why
wouldn't you have looked into that? Personally I
care about privacy but only regard https as a
nice extra. My webhost handles that and I don't
know where they're getting the certificate. But
if you buy it yourself you should know what you're
buying. And who doesn't know to avoid Symantec?
They've got a shady history going all the way back
to the 90s.

A similar example would be Wordpress denizens.
They use Wordpress for hosting because they don't
know what they're doing. Then they use script
gadgets that WP provides. Then they don't update
them because they don't know it matters, so WP
ends up being a slum of risky websites.
Should they know what they're doing? Of course.
Though WP is partially to blame. If they're going to
enable people with no knowledge to create websites
then they should also be handling things like updating
gadget code when fixes are written.

But I think in a lot of cases websites are being
created mainly by graphic artists who are not
tech-educated. They've just come up with tools
to "get around that problem". With all the WYSIWYG
tools available, people just don't need to know what
they're doing. They're like microwave chefs.

On 10/10/2018 15.28, Mayayana wrote:
"Carlos E.R." wrote

| If you manage to miss this for a such long time, you don't really care
| about anything, you just have a certificate as everyone else has it or
| there is a regulation that mandates you to have one without really
| knowing why. IMHO it's the same as not caring.
|
| No, I do not agree.
|

If you bought the certificate directly then why
wouldn't you have looked into that? Personally I
care about privacy but only regard https as a
nice extra. My webhost handles that and I don't
know where they're getting the certificate. But
if you buy it yourself you should know what you're
buying. And who doesn't know to avoid Symantec?

I don't.

They've got a shady history going all the way back
to the 90s.

News to me. O:-)

I used PCtools back then and it was a wonderful tool. I think I also
used an antivirus from them at some point.

Later on I switched to Linux, so most Windows software companies are
irrelevant to me.


A similar example would be Wordpress denizens.
They use Wordpress for hosting because they don't
know what they're doing. Then they use script
gadgets that WP provides. Then they don't update
them because they don't know it matters, so WP
ends up being a slum of risky websites.
Should they know what they're doing? Of course.
Though WP is partially to blame. If they're going to
enable people with no knowledge to create websites
then they should also be handling things like updating
gadget code when fixes are written.

Why should they know? If I'm a garage owner and they talk me into paying
for a web site to announce my garage, it is very possible that I know
nothing about computers beyond reading my email.

I know people that own Windows computers with updates disabled for two
or more years. Possibly the person that installed Windows disabled the
updates because otherwise they would get phone calls everyday, LOL.

So yes, what google or firefox do blocking those web sites with those
certificates is the correct thing to do.

But I think in a lot of cases websites are being
created mainly by graphic artists who are not
tech-educated. They've just come up with tools
to "get around that problem". With all the WYSIWYG
tools available, people just don't need to know what
they're doing. They're like microwave chefs.

Exactly.



--
Cheers, Carlos.