塞门铁壳SSL出事了？

holinhot

Google has recently identified a series of failures by Symantec Corporation to properly validate certificates, and as a result, Google has stated its intent (https://groups.google.com/a/chromium.org/forum/#%21topic/blink-dev/eUAKwjihhBs) to take the following steps relating to the Chrome browser:
* Reduce the maximum accepted validity period of newly-issued Symantec certificates to nine months or less

* Implement a rolling distrust of all currently-trusted Symantec-issued certificates, forcing the certificates to be replaced with new certificates before the original would expire

* Remove the EV (Extended Validation) treatment of Symantec EV certificates for at least the next year

Since Google Chrome has a majority of the browser market, this will have a significant impact on the industry and potentially on your web assets.

In an effort to protect the safety of internet users, avoid disruption, and minimize the management burden to you, Comodo will help all affected Symantec, Thawte and Geotrust customers. Comodo will replace the remaining lifetime on your existing Symantec/Thawte/Geotrust certificates at no cost (example: a three-year certificate with two years remaining can be replaced with a three-year Comodo certificate for the cost of one year).

Please call 1-855-478-7740 or contact [email protected] (mailto:[email protected]?

用户名

什么鬼  炸裂啊

yandere

感覺在推銷comodo

wen

http://www.ithome.com.tw/news/112989
跟當初誤發了Goolge的憑證延燒到現在,被發現誤發超過3萬的憑證

賽門鐵克2015年誤發逾3萬個憑證，Google祭制裁：Chrome逐步不再承認其憑證
賽門鐵克在2015年坦承誤發Google.com延伸驗證憑證，Google追查後發現誤發數量超過3萬個，本周對賽門鐵克祭出制裁，未來將透過Chrome的版本升級逐漸廢止賽門鐵克旗下憑證機構簽發的現有憑證。

xiangzi

用户名 发表于 2017-3-25 08:47
什么鬼  炸裂啊

哼，我不信

holinhot

tension 发表于 2017-3-25 12:08
只有 EV 出事了！

GeoTrust 应该没事。
google自己也在用

holinhot

tension 发表于 2017-3-25 12:38
GeoTrust 肯定没事。。。

我看有事。
https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/symantec/README.md
除了这些没事。其他由赛门铁克控制的私钥都出事， 本来是没事。
As discovered during the follow-up of a previous incident - https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html - Symantec has cross-signed two organizations who operate wholly independent infrastructure that is audited as such - Apple and Google. This is documented at https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/symantec/README.md

As such, these certificates are not "Symantec-issued", for any reasonable definition, and are effectively operated by independent third parties, and thus would be proposed to be excluded from these requirements.

This evaluation of trust is not based upon an intrinsic property, but on the public disclosure and ability to independently confirm and assess the policies and practices related to issuance by these two parties.

All Symantec issued certificates. GeoTrust and Thawte are CAs operated by Symantec, simply afforded different branding.

While this list may need to be updated for some recently created roots, https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/symantec/README.md may accurately capture the state of impact