Chrome reporting site certificate as invalid

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

It's like the Cozumel taxi mafia...on the internet!
 
I understand how the trust store works, thanks. On the rest, we will have to agree to disagree. And, I am happy the browser owners are doing what they are doing. A chain of trust should be, well, trustworthy.

Yes, but modifications to the trusted root certs should come as security updates from the OS provider - not as hacks in browsers that prevent my machine from working the way I have it configured and intend for it to work.
 
A chain of trust should be, well, trustworthy.
On that, we agree. I take exception to someone else making that decision for me and depriving me of the option to decide for myself who I trust. The obviousness of the financial motive is also a problem.

Also, Encryption can be done without certs. Have done it. It's a false co-dependency that has been pushed upon the masses. Certs (do their best to) guarantee identity.

What should have happened? The root ca's with exposed keys should have been immediately re-issued and certificates issued based on those roots should have been replaced. Then nobody really loses, except whoever is exploiting the hack that is being blamed as the root cause here. If this were the scenario, as you say, scubaboard and other sites would have installed new certs before or at expiration time and nobody would have cared. That's not how it played out though...
 
On that, we agree. I take exception to someone else making that decision for me and depriving me of the option to decide for myself who I trust. The obviousness of the financial motive is also a problem.

Also, Encryption can be done without certs. Have done it. It's a false co-dependency that has been pushed upon the masses. Certs (do their best to) guarantee identity.

What should have happened? The root ca's with exposed keys should have been immediately re-issued and certificates issued based on those roots should have been replaced. Then nobody really loses, except whoever is exploiting the hack that is being blamed as the root cause here. If this were the scenario, as you say, scubaboard and other sites would have installed new certs before or at expiration time and nobody would have cared. That's not how it played out though...

As long as the root CA cert is trusted, all the unexpired certs of any description are also trusted. Some of those have longer typical lifespans than SSL server certs. SB and other sites *could* have installed new SSL server certs over the past year that are verified using any number of still-trusted root CA certs, many from CAs other than those in which a browser owner or contributor might happen to have a financial interest, and many of them are also installed by default by browser owners). But, those that did not are now exposed as having not done so, which inconveniences the users of those sites. If you look in your trust store, you will likely find any number of root CA certs there from independent but thought to be trustworthy CAs. Geotrust, which issued the cert for SB, is not among those thought trustworthy.

We agree that the SSL certs should have been replaced before they expired or were actively distrusted. We don't appear to agree on how that should have been done. I'm still OK with agreeing to disagree on that because I think the industry is doing the right thing even if it causes some inconvenience here and there (as, by the way, it rather significantly did for the company I work for, which is not connected with SB or DigiCert or any of the browser owners, and for a number of our clients).
 
Also, Encryption can be done without certs. Have done it. It's a false co-dependency that has been pushed upon the masses. Certs (do their best to) guarantee identity.

TLS's goal was far more than encryption. It's about trust and data integrity. Certificates ensure you're talking to the person you think you're talking to. If you don't have that, encryption is irrelevant.

What should have happened? The root ca's with exposed keys should have been immediately re-issued and certificates issued based on those roots should have been replaced.

This was never about a root CA having exposed keys. Symantec was shown to have serious problems in the way they verified the people requesting certificates, issued many certificates that were found to be fraudulently obtained, and that's only the ones we know about. They never fixed their problems, and after escalating penalties, browsers decided they were going to stop trusting them. Symantec decided to sell off their business because they couldn't do it right.

The certs that are not being trusted are those that were issued during the period where Symantec had the problems, and includes CAs down the trust chain that also had problems. New certs are fine. They're not trying to put anyone out of business.

The problem is that the browser can't say with a straight face that any site bearing a certificate from that period and CA is who they say it is, no matter if it's Scuba Board or a bank.

And this isn't just a browbeating by browsers against a company, it's actually improved the state of the art. Certificate transparency, for instance, now makes it much more difficult for a bad CA to get a cert issued without people knowing.
 
All this tech talk is good and all but I just want to know if I'll ever get to look at Scubaboard on my phone again???

Damifino. But if we can do it underwater, shouldn't we move this to one of the tech forums?
 
:clapping: good job.


:yeahbaby:
 

Back
Top Bottom