23 comments

[ 3.5 ms ] story [ 60.0 ms ] thread
A (incomplete) list of broken sites: https://bugzilla.mozilla.org/show_bug.cgi?id=1484006
Also accounts.intuit.com which affects various products e.g. Mint.

And an interesting comment from the thread:

Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. Changing the value back to '2' will re-enable this change.

Add PayPal. And theirs is an EV cert "valid" till 2019. Bet they're happy having to go through the process all over again.
Considering the PCWorld group in the UK have had to disclose a serious breach recently, plus they have not bothered to update their EV certs, i'd suggest their security isn't up to scratch and black hats will notice this.
So is this costing Symantec a lot of money? Are they no longer a root CA in any capacity?
They sold their CA business to DigiCert and quit the market.
Probably for the best. They really buggered up the whole CA thing. Hard to establish trust after it's been violated.
It's been distrusted in Chrome Canary for a few weeks already.

Similar schedule and post: https://security.googleblog.com/2018/03/distrust-of-symantec...

Sites like PayPal and Intuit, which should be on top of things related to security, have been non-responsive to my pings to fix it.

Iirc, PayPal responded to a previous support request from us stating they were aware.
It's interesting that Firefox preserves the "Continue" button for affected sites, while Chrome does not. I get that we want to keep broken sites relatively accessible for a while, but I worry that we could also be teaching people to ignore warnings like these. I wonder if the continue button dissapears with HSTS…
It does. I’ve found the inconsistency somewhat odd.
Well, to get to the continue button you have to click once, then after you click continue you have a new dialog asking if you're sure you want to trust the certificate and whether you want to trust just for the session or permanently. It's not idiot-proof, but then nothing in software ever is.
sounds like you've never needed to diagnose a broken cert before..

all of this nannying for the common good and breaking functionality is not always a good thing. provide sensible defaults and give the user control to override it as they see fit (like the continue button)

I agree with you, but the continue button does seem too easy. I'd make this an about:config type setting.
Probably because Mozilla subscribes to the ethos that a user should get the final say in what computation gets done on their computer, and not some third party. I would be sad if they ever took the "continue" option away.

This is consistent with their position on drm in browsers.

Firefox Nightly has the continue button regardless, but if the site has HSTS, it will tell you so, and will not allow you to add an exception; continue only shows the cause of the problem, in this case, that the certificate came from an untrusted source. This is in line with the "no user recourse" section of the HSTS RFC.
Users should get the final say always. This was normal behavior before windows 8. Now windows users are guests in their operating system, and the attitude can be seen in other software as well, not only from Microsoft.

Firefox is an awesome browser and is the most pro choice browser on the market, with options for privacy plugins, search engines, cookie choices, tracking protection, etc.

Personal responsibility? I have on occasion ordered things from websites who did not have their security in order. My conscious and informed decision. Although I did not order with a creditcard ofcourse.
Then what did you order with? Credit cards provide buyer protection against fraud unlike debit cards.
Bitcoin? Visa gift cards? Temporary Visa cards from places like entropay?
iDeal. Sending money from my bank account to the account of the webshop.
Oh, I guess that's why I've been seeing TLS errors on eBay description pages…