New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I think the best part about Symantec is just how horribly their software was known to cripple essential networking- stuffing their shit into EVERYTHING. The corporate edition of their AV wasn't quite as bad, but I've had more LSPs broken over the years due to Symantec than anything intentionally malicious.
Don't forget Symantec bought Bluecoat, which does SSL MiTM. So Bluecoat + Symantec CA would allow for seamless, and near undetectable MiTM Attacks.
Symantec is a really hilarious story...I hope someone writes an insider book someday. They were original an AI company with Stanford grads and science foundation grants but then things didn't pan out (one of many AI Winters) and they started the merge/acquisition game.
Not with other AI companies or research giants...with schlocky crapware vendors pushing third- or fourth-rung word processors and Lotus 1-2-3 addons. I was trying to remember some and looked at Wikipedia. This was entertaining (Q&A was some silly DB product they had in the 80s...everyone made one back then):
"After a slow start for sales of Q&A in the fall of 1985 and spring of 1986, Turner signed up a new advertising agency called Elliott/Dickens, embarked on an aggressive new advertising campaign, and came up with the "Six Pack Program" in which all Symantec employees, regardless of role, went on the road, training and selling dealer sales staff nationwide in the United States. Turner named it Six Pack because employees were to work six days a week, see six dealerships per day, train six sales representatives per store and stay with friends free or at Motel 6."
The Norton addition was big, and then they bought Veritas in 2005 which made absolutely zero sense...a vendor primarily in the desktop AV market buys an enterprise software company. Now they've split again.
They've just done a ton of random acquisitions with zero focus.
For what it's worth:
https://www.symantec.com/connect/blogs/symantec-backs-its-ca
"We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates."
There is indeed a big difference between 30,000 certs and 127 certs, but where is the truth ...
"but where is the truth ..."
My take: Certainly not with symantec. They are among the worst companies in the known universe. Probably ferengi with a bad character.
The truth is that, from a security perspective, there actually isn't a big difference between 30K mistakes and one single one. Insecure is insecure, and you shouldn't expect people to trust you if you don't follow a process that keeps 1 from turning to 127 from turning to 30K. It's just not a good argument to say to your spouse, "But I haven't cheated on you that many times!"
But I'm not really taking sides here. I think the entire CA system is flawed. It's a big part of why the web sucks so much.
Me too.
As for who is right, i would side with google here, I think their people know what they are doing, they would not go public with this without a very serious case behind.
That does not mean it is absolutely impossible they were wrong, but let's say symantec lost a lot of credibility points with me when I had to remove their so called security products from hundreds of computers some 10-15 years ago.
I would agree that for a company that claims to be so security-conscious, 127 is a (much too) high number.
I still wonder about the discrepancy between 30K and 127, though.
How did we end up talking about @Nekki 's hair. LOL
Particularly if the one is something like google.com.
Horrible...
By my reading, the 30K is the total count over the years for all of Symantec's bad practices. The lower number is simply Symantec trying to spin what was found for the one specific investigation related to the google.com incident.
There are 127 known bad certificates. There are another 30K certificates that were issued without being properly vetted, so they have to be treated as presumptively bad even though chances are that most of them are actually good. That's the source of the 127 vs 30K discrepancy.
And word is that there is no way to separate out those 30K certs from the millions of other certs Symantec has issued. It's that last part that amazes me: surely Symantec has audit trails of which RA's issued those certs. Also the distrust action affects all Symantec roots including the ones that weren't in the process in question.
The issue basically seems to be that Symantec is incapable of getting its act together (the above scenario has already played out several times) so Google eventually called them on it. A CA root is a license to print money as long as you jump through some hoops to get it. Symantec couldn't be bothered jumping through the hoops and now they're whining about getting the printing license suspended.
I don't think it was suspended, just a serious warning received that it might and there were more hoops set+the older ones enforced more.
As i read it, this is an attempt to make symantec comply with the original condition+some verification mechanism+making sure old ones are phased out in a comprehensive fashion. It should also be a warning for others to get their act together, if symantec is not too big to fall, nobody is.