Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

Topic # 240977 4-Oct-2018 20:56
Send private message quote this post

So the end is near for the distrust of Symantec, and its various subsidiary CA's, SSL certs via Chrome.

 

Just FYI, I'm running Chrome beta so on version70.0.3538.45 now, getting this when browsing to secure.2degreesbroadband.co.nz

 

Click to see full size

 

Probably best to get onto this asap, as the stable release of 70 is just around the corner, more info here

 

@2degreesCare

 

cc @NickMack

 

 

 

 


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
514 posts

Ultimate Geek
+1 received by user: 110


  Reply # 2101819 4-Oct-2018 21:30
3 people support this post
Send private message quote this post

If i browse to that site, it shows it as no error and a RapidSSL Cert from 19/05/2017

 

Sure its not something on your side?

 

 


'That VDSL Cat'
8692 posts

Uber Geek
+1 received by user: 1879

Trusted
Spark
Subscriber

  Reply # 2101825 4-Oct-2018 21:39
Send private message quote this post

 

seems to be a valid cert imo...

 

 

 

seeing this though, 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


21464 posts

Uber Geek
+1 received by user: 4362

Trusted
Subscriber

  Reply # 2101826 4-Oct-2018 21:41
Send private message quote this post

Firefox gives me this:

 

 

 

Click to see full size





Richard rich.ms



defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101829 4-Oct-2018 21:47
Send private message quote this post

I'm assuming you're both using Chrome 70, and that you're both aware GeoTrust and RapidSSL were owned by Symantec before being purchased by Digicert. And that you're both aware of the Google/Symantec spat.

 

Copy/paste from the Google blog:

 

We previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL)

 

Chrome 70   Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.

 

 


'That VDSL Cat'
8692 posts

Uber Geek
+1 received by user: 1879

Trusted
Spark
Subscriber

  Reply # 2101832 4-Oct-2018 21:50
Send private message quote this post

dfnt:

 

I'm assuming you're both using Chrome 70, and that you're both aware GeoTrust and RapidSSL were owned by Symantec before being purchased by Digicert.

 

 

Right, that explains it...

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101835 4-Oct-2018 21:52
Send private message quote this post

Chrome 70 stable isn't out till mid October, that's when the masses will start seeing the Symantec cert error on sites that haven't migrated to non Symantec issued certs


514 posts

Ultimate Geek
+1 received by user: 110


  Reply # 2101836 4-Oct-2018 21:52
Send private message quote this post

Ahh, I had saw the bit about certs before 2016 being blocked but didn't realize they were going to block ALL certs from those providers

 

 




defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101837 4-Oct-2018 21:57
Send private message quote this post

skewt:

 

Ahh, I had saw the bit about certs before 2016 being blocked but didn't realize they were going to block ALL certs from those providers

 

 

 

 

Yeah that was for Chrome 66, the final nail in the coffin will be Chrome 70 distrusting all certs that were issued by the various Symantec brands.

 

I believe all new certs under those brands are issued by Digicert now, e.g.:

 

Click to see full sizea


Meow
7906 posts

Uber Geek
+1 received by user: 3929

Moderator
Trusted
Lifetime subscriber

  Reply # 2101841 4-Oct-2018 22:17
One person supports this post
Send private message quote this post

@dfnt As somebody who has had to replace a tonne of Symantec certificates over the last few months I can confirm you're correct here. The certs have to be redone with the new Digicert signer.







defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101857 4-Oct-2018 22:53
Send private message quote this post

michaelmurfy:

 

@dfnt As somebody who has had to replace a tonne of Symantec certificates over the last few months I can confirm you're correct here. The certs have to be redone with the new Digicert signer.

 

 

Working in banking I imagine there were a lot of certs to replace -_-


BDFL - Memuneh
61331 posts

Uber Geek
+1 received by user: 12076

Administrator
Trusted
Geekzone
Lifetime subscriber



defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101871 4-Oct-2018 23:07
Send private message quote this post

freitasm:

 

I can see so many sites going "Oh oh" when Chrome 70 comes out...

 

 

Yeah, it's quite amusing/sad how many are still using Symantec/and their brands SSL certs


3365 posts

Uber Geek
+1 received by user: 1841

Trusted
Lifetime subscriber

  Reply # 2101872 4-Oct-2018 23:10
One person supports this post
Send private message quote this post

michaelmurfy:

 

The certs have to be redone with the new Digicert signer.

 

 

Or better yet with free Let's Encrypt, Comodo or AWS ACM certificates.. It's high time people stopped paying money for SSL certs.





Information wants to be free. The Net interprets censorship as damage and routes around it.


Meow
7906 posts

Uber Geek
+1 received by user: 3929

Moderator
Trusted
Lifetime subscriber

  Reply # 2101873 4-Oct-2018 23:13
Send private message quote this post

freitasm:

 

I can see so many sites going "Oh oh" when Chrome 70 comes out...

 

A month ago I was stressing a bit when one of our major sites didn't have a replacement certificate. I was going around with Google Chrome Canary doing verification when I noticed it, had to wait for the cert guys to generate a new cert and load it on the servers.

 

That was a month ago... Glad all the certs I am responsible for are now replaced ahead of schedule. But yes, I still come across quite a few sites with Symantec certs.







defiant
610 posts

Ultimate Geek
+1 received by user: 294

Lifetime subscriber

  Reply # 2101874 4-Oct-2018 23:16
One person supports this post
Send private message quote this post

Lias:

 

michaelmurfy:

 

The certs have to be redone with the new Digicert signer.

 

 

Or better yet with free Let's Encrypt, Comodo or AWS ACM certificates.. It's high time people stopped paying money for SSL certs.

 

 

I'm even using Let's Encrypt (wildcard cert) for all my internal devices, like EdgeRouter, Synology NAS, pihole etc using nginx as a reverse proxy to them. That way I don't have to deal with self signed cert warnings when accessing them, and I just have a singular device that the cert resides on.

 

So easy when using the Cloudflare certbot plugin, so you don't have to expose your internal services for validation


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.