• Welcome to ScubaBoard


  1. Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

    Benefits of registering include

    • Ability to post and comment on topics and discussions.
    • A Free photo gallery to share your dive photos with the world.
    • You can make this box go away

    Joining is quick and easy. Login or Register now by clicking on the button

Chrome reporting site certificate as invalid

Discussion in 'Feedback' started by CaptainCalamari, Oct 28, 2018.

  1. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,808
    3,002
    113
    Seems a bit over the top for a message board to me...

    Kind of crappy for browsers to arbitrarily declare well known CA's as black sheep and tell users about it. I would be surprised if there wasn't a lawsuit already involved.
     
  2. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,808
    3,002
    113
    I love SB but not enough to use edge...

    If you get the error, you can just click the button to ignore the error. It smacks of political stunt by browser manufacturers to me. It's not like they've blacklisted "joes used digital certificates and toothbrushes".
    For what it's worth, a consortium of browser manufacturers has blocked the following certificate authorities.

    Symantec, GeoTrust, RapidSSL, Thawte, and VeriSign

    Of course, verisign is only the biggest root ca in the world.. no harm though, right?

    As a website owner your only options are 1. lose traffic from chrome and ff users or 2. buy a cert from some other company and hope the eventual lawsuit takes care of it (if you even care after paying for a second cert).

    Here are the details: Distrust of Symantec TLS Certificates


    It's part of a long running feud between Google and Symantec. Google has apparently successfully recruited mozilla (maybe others?) to join them. Google is fighting with Symantec over encrypting the internet

    Google's published details make it sound on the surface like their motives are altruistic....until you realize that Google owns a CA that competes with Symantec (and the others). Guess what? Google Internet Authority G2 isn't blocked anywhere :wink:. Oh, and as if Google has never been hacked. No business that has an internet connection has never been hacked - unless you just haven't been noticed (yet).

    Children of unwed mothers, Google.

    What it boils down to is that default permissions for sites who have paid someone "trusted" by google or mozilla for a certificate are more lenient than for sites who have not. This is because all a certificate does is (supposedly) identify one end of a connection. Your browser then decides to negotiate a secure connection (or not). It's entirely possible to use SSL or TLS with your own cert, or no cert at all.

    This is an effort to crush their largest competitor in the certificate sales space - nothing more.

    /rant.

    sorry
     
    stuartv likes this.
  3. Insta-Gator

    Insta-Gator Blue Whale

    # of Dives: 200 - 499
    Location: West Villages, Florida
    21,693
    25,262
    113
    Nice rant. :wink: .
     
  4. stuartv

    stuartv Seeking the Light

    # of Dives: 200 - 499
    Location: Manassas, VA
    8,092
    3,731
    113
    I'm using a MacBook Pro (which I hate, BTW - and it seems like this is one reason why).

    If this were Windows, I believe I could just select the GeoTrust root cert and add it to my Trusted CA certs on my local machine and this error would go away. Or something like that.

    I can't find any way to do the equivalent thing on MacOS. Does anybody know if there is a way? I checked in the Keychain Access app and the GeoTrust Global CA is already there. I guess the issue is that Chrome is making its own decision about what CAs to trust? Is there really no way to manually change what CAs Chrome trusts?
     
  5. Sean Walberg

    Sean Walberg Nassau Grouper

    # of Dives: 25 - 49
    Location: Northern Virginia
    131
    97
    28
    Check out Max's link, the Chrome team is doing this as a gradual rollout over a few weeks.
     
  6. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,808
    3,002
    113
    No. They've actually got something coded into the browsers to brow-beat users on the issue. You can probably go into about:config in firefox and turn that "feature" off. Maybe. It's very much like what was done with Flash - and why I used a fork of firefox called Waterfox for several years (which still supports flash).

    The only reason I'm aware of this issue that I ranted about is because I clicked on the "details" link firefox provided when I visited scubaboard.com. Then I did a lot of reading. If you click that link, Firefox (mozilla) will tell you all about it from their perspective.
     
  7. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    988
    1,034
    93
    This should have surprised NO website operator, since they started warning people some time ago (like a year or more). The reason they are doing it is not arbitrary, or capricious. It does force people to get new SSL certs, but in many or most cases they would need new ones anyway, because they expire. They just have to get them from a CA that follows the industry practices for vetting website owners.

    It's unfortunate that a company that apparently acquired a number of moderately pervasive CAs seems not to have followed accepted practices, causing a large number of certificates to become untrusted, and the browser owners, as far as I know, have no dog in the "who sells SSL certs" fight.* But, I'll admit that I have not followed the money to be able to assert that last point. In the meantime, the browser owners are doing what they are doing, and the provided plenty of notice, but it's always the case with stuff like this that "someone or another" doesn't get the message (shrug).

    The whole key security thing is essential to being able to trust someone who asserts (via an SSL server cert) that they are who they say they are. A remarkable number of creative hacks are possible on malicious websites. It's not merely the content of SB you should worry about, but the content and security of your own computer. If you do online banking on the same computer you use for SB, for example, you should be *glad* that this level of security exists and is being used for SB.

    *Edit: One of the major emerging players here is DigiCert, which is privately held.
     
    Insta-Gator likes this.
  8. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,808
    3,002
    113
    upload_2018-11-15_16-6-45.png
    As you can see, the root certs are still installed by default. They just aren't allowed to function.

    Google owns a root CA that is not included in the ban. The CA is called Google Internet Authority G2 and their website is Google Internet Authority G2 – Google .
    Mozilla does not own their own ca. However, nearly 100% of the Mozilla foundation's funding comes from (wait for it) Google! Evidence: So Why Is Google Funding Its Own Competition In The Firefox OS?

    I don't believe in coincidences like that.
     
  9. stuartv

    stuartv Seeking the Light

    # of Dives: 200 - 499
    Location: Manassas, VA
    8,092
    3,731
    113
    That is my beef. That the root certs in my key chain are not being allowed to function.

    It's my computer. If I want to trust GeoTrust, who is effing Google to tell me I can't?!? They're just providing me a browser. The browser should respect my machine's settings for trusted certs.

    If Apple wanted to issue an OS update to remove certain trusted root certs, then that is something I might consider reasonable. But, for Google to take it upon themselves to make their browser ignore my system settings for trusted root certs is, well, I basically agree with @kelemvor. This is self-serving BS.
     
  10. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    988
    1,034
    93
    I understand how the trust store works, thanks. On the rest, we will have to agree to disagree. And, I am happy the browser owners are doing what they are doing. A chain of trust should be, well, trustworthy.
     
    Insta-Gator and Sean Walberg like this.

Share This Page