Insights For Success

Strategy, Innovation, Leadership and Security

Symantec

The start of the end for Symantec cert trust on Google's Chrome

GeneralEdward Kiledjian

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here

Chrome to distrust Symantec TLS Certs

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

  1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
  2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
  3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

5 best Random Password Generators

GeneralEdward Kiledjian

1 - Random.org

Random.org has been one of my favorite sites for a long time. It uses atmospheric noise to generate its randomness which is much better than the logical pseudo-random generators used by many sites and service.

You choose the password parameters you need and it generates wonderfully random passwords to use with your password manager of choice.

Link

2 - Symantec Identity Safe

Symantec has been a mainstay of the security market since the 90s and they bought a company called PCTools (and its Secure Password Generator). As a PC Tool vendor, they will try to make you download their privacy tools but I wouldn't recommend their password vault.

Use the password generator on the right side of their site to generate high quality complicated passwords with the required complications. As an example, the above complications generated this password for me : dr-cr+wreF5p.

Link

3 - Wolfram Alpha

Wolfram Alpha is a powerful knowledge engine created by the brainiacs behind mathematica, It is a superb tool I use regularly for problem solving but it also generate random passwords. Head over to their knowledge engine and enter Generate Strong Password. Then press the equal sign. 

Then choose the complications you want and press the equal sign again to generate you password.

then it generates your wonderful password

you press on Plaintext and copy it into your favorite website or password manager.

Link

4 - Lastpass password generator

My 2 favourite password managers are Lastpass and 1Password. Both have the capbility to generate strong passwords and you should use that functionality if you have those those. Considering most of Lastpass is now free to use, you really have no excuse.

But Lastpass also offers a web based secure password generator which is clean, easy to use and efficient. 

When you scoll up on that page after choosing your complications, you get a wonderfully generated password of your can click the button and have another one created for you.

5 - GRC Ultra High Security Password Generator

GRC is the home of Gibson Research Corporation. It is owned by Steve Gibson the Grand Poobah of internet security. He found the first spyware and wrote the first anti-spyware app. He is considered one of the most prominent security professionals and makes tones of tools available on his site. 

His site generates perfectly random long complex 64/63 character passwords and he then explains why his passwords are high quality. If you are interested in geeking out, its a wonderful read.