• Welcome to ScubaBoard


  1. Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

    Benefits of registering include

    • Ability to post and comment on topics and discussions.
    • A Free photo gallery to share your dive photos with the world.
    • You can make this box go away

    Joining is quick and easy. Login or Register now by clicking on the button

Chrome reporting site certificate as invalid

Discussion in 'Feedback' started by CaptainCalamari, Oct 28, 2018.

  1. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,815
    3,015
    113
    It's like the Cozumel taxi mafia...on the internet!
     
  2. stuartv

    stuartv Seeking the Light

    # of Dives: 200 - 499
    Location: Manassas, VA
    8,096
    3,732
    113
    Yes, but modifications to the trusted root certs should come as security updates from the OS provider - not as hacks in browsers that prevent my machine from working the way I have it configured and intend for it to work.
     
  3. kelemvor

    kelemvor Big Fleshy Monster ScubaBoard Supporter

    # of Dives: 100 - 199
    Location: Largo, FL USA
    5,815
    3,015
    113
    On that, we agree. I take exception to someone else making that decision for me and depriving me of the option to decide for myself who I trust. The obviousness of the financial motive is also a problem.

    Also, Encryption can be done without certs. Have done it. It's a false co-dependency that has been pushed upon the masses. Certs (do their best to) guarantee identity.

    What should have happened? The root ca's with exposed keys should have been immediately re-issued and certificates issued based on those roots should have been replaced. Then nobody really loses, except whoever is exploiting the hack that is being blamed as the root cause here. If this were the scenario, as you say, scubaboard and other sites would have installed new certs before or at expiration time and nobody would have cared. That's not how it played out though...
     
  4. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    988
    1,035
    93
    As long as the root CA cert is trusted, all the unexpired certs of any description are also trusted. Some of those have longer typical lifespans than SSL server certs. SB and other sites *could* have installed new SSL server certs over the past year that are verified using any number of still-trusted root CA certs, many from CAs other than those in which a browser owner or contributor might happen to have a financial interest, and many of them are also installed by default by browser owners). But, those that did not are now exposed as having not done so, which inconveniences the users of those sites. If you look in your trust store, you will likely find any number of root CA certs there from independent but thought to be trustworthy CAs. Geotrust, which issued the cert for SB, is not among those thought trustworthy.

    We agree that the SSL certs should have been replaced before they expired or were actively distrusted. We don't appear to agree on how that should have been done. I'm still OK with agreeing to disagree on that because I think the industry is doing the right thing even if it causes some inconvenience here and there (as, by the way, it rather significantly did for the company I work for, which is not connected with SB or DigiCert or any of the browser owners, and for a number of our clients).
     
    kelemvor likes this.
  5. Sean Walberg

    Sean Walberg Nassau Grouper

    # of Dives: 25 - 49
    Location: Northern Virginia
    132
    97
    28
    TLS's goal was far more than encryption. It's about trust and data integrity. Certificates ensure you're talking to the person you think you're talking to. If you don't have that, encryption is irrelevant.

    This was never about a root CA having exposed keys. Symantec was shown to have serious problems in the way they verified the people requesting certificates, issued many certificates that were found to be fraudulently obtained, and that's only the ones we know about. They never fixed their problems, and after escalating penalties, browsers decided they were going to stop trusting them. Symantec decided to sell off their business because they couldn't do it right.

    The certs that are not being trusted are those that were issued during the period where Symantec had the problems, and includes CAs down the trust chain that also had problems. New certs are fine. They're not trying to put anyone out of business.

    The problem is that the browser can't say with a straight face that any site bearing a certificate from that period and CA is who they say it is, no matter if it's Scuba Board or a bank.

    And this isn't just a browbeating by browsers against a company, it's actually improved the state of the art. Certificate transparency, for instance, now makes it much more difficult for a bad CA to get a cert issued without people knowing.
     
    TrimixToo likes this.
  6. wsr523

    wsr523 Angel Fish

    # of Dives: 100 - 199
    Location: Wylie, Texas
    35
    15
    8
    All this tech talk is good and all but I just want to know if I'll ever get to look at Scubaboard on my phone again???
     
  7. TrimixToo

    TrimixToo Regular of the Pub

    # of Dives: 200 - 499
    Location: New York State
    988
    1,035
    93
    Damifino. But if we can do it underwater, shouldn't we move this to one of the tech forums?
     
  8. wsr523

    wsr523 Angel Fish

    # of Dives: 100 - 199
    Location: Wylie, Texas
    35
    15
    8
    Yesssss! Thank you to whoever fixed this problem, I can now look at Scubaboard on my phone again!
     
    Sean Walberg and scubadada like this.
  9. scubadada

    scubadada Diver Staff Member ScubaBoard Supporter

    # of Dives: 1,000 - 2,499
    Location: Philadelphia and Boynton Beach
    10,625
    6,027
    113
    Yay, I'm back in business on my phone and tablet :)
     
  10. Insta-Gator

    Insta-Gator Blue Whale

    # of Dives: 200 - 499
    Location: West Villages, Florida
    21,711
    25,284
    113
    :clapping: good job.


    :yeahbaby:
     

Share This Page