I think it’s only fair to flesh this out a little more otherwise people may be confused about what the report actually says based on a small, out of context snippet. These non-compliant certificates were ones with a longer than 60 month validity period. Netcraft themselves say that it isn’t itself a security problem. Also, yes, Comodo and GoDaddy together made up ~95% of these non-compliant certificates, but Comodo isn’t GoDaddy so that isn’t a fair way to look at it. To put things into perspective GoDaddy issued 2,498 of these non-compliant certificates while Comodo issued 606. GoDaddy has about twice the market share that Comodo has. You can find one Comodo employee’s position from a link in the Netcraft article here: https://cabforum.org/pipermail/public/2013-September/002192.html
Google's proposal to use the original July 2012 date as a threshold for enforcement isn't popular with some of the CAs in the CA/B forum: GlobalSign and Comodo have argued that such technical constraints should only be enforced for certificates issued after the announcement.
If I understand Comodo's position correctly they don't want to revoke certificates that were issued before the date of July 1 2012.
In legislation it is problematic when a new law gets introduced that will extend to a period before the law got active. People or entities did not get time to adapt to the new legislation. Looking from a business perspective Comodo could be accused of breaking a contract it had with the recipient of the certs.
I thought we were talking about security ! The Snowden papers has opened a bag of worms.
HTTPS/SSL are supposed to provide browser users with the security it claims.
Making excuses based on business or technical grounds, breaks security… 88) The changes implemented back in 2012, almost eighteen months ago, are supposed to tighten security. That has to be a good thing for the Net.
You either have security or you don’t!
There’s no in between in my book especially when an organisation like the NSA is snooping on my Net use, because they break the security, which has been too easy for them.
If my Net use is lawful, they have no excuse without just cause. That requires both a court order & US citizenship. I fall outside those requirements. I am not a US citizen & not subject to US LAW.
It’s no major task to mod the code, cancel the Certificates that don’t comply with the new rules & reissue them. It is after all, just a computing problem, not a major physical exercise. The CA’s complaining about the problem, in this case two of them in a long list, need to think about what HTTPS/SSL is providing…security is implied! If it’s broken,…fix it! Any customer involved will surely understand, once the problem & need for change is explained to them ?
Business considerations and even the technical ones in this case, small as it is, beg the question & are easily fixed.
Your facts are simply wrong, huntsman. As I mentioned, Netcraft themselves say that it isn’t a security problem. Also, you mentioned that Google is doing this because of NSA revelations, but neither the Zdnet article nor the announcement by Google mention anything about the NSA. I just have to ask, do you have an issue regarding this article that is relevant to Comodo Dragon? This is the Comodo Dragon forum, after all.
Thank you Cassette for reminding me it is a Comodo forum.
I don’t recall mentioning ZDNet or Google referring to the NSA disclosures, in my previous discussion. They didn’t, of course. I referred to the NSA & Snowden papers. You made the ZDNet & Google connection !
The SSL security issue is relevant to the discussion & by implication my conclusion was that Google was tightening their security in all their products due, in my opinion, to these revelations. As a direct result, that also involved Comodo Dragon, a browser I am using which is based on the Chromium Google product.
I may have been wrong, so I bow to your superior knowledge. Thank you.
I have reread the ZDNet article and couldn’t find any comment or statement by Netcraft where they say there is no security problem.
The ZDNet article went on to say…
“Netcraft also identified non-compliant certificates issued by Symantec, Verizon Business, SwissSign and GoDaddy,” (as well as Comodo)…
“CAs should be capable of testing compliance with the baseline requirements as an automated check before issuance, so there’s not much of an excuse for these lapses” and I agree unless there is a compelling argument to the contrary.
I am concerned the certificates issued, by these companies, do not comply. It seems to me that 18 months is more than enough time to correct the non compliance.
You may argue it doesn’t matter. I contend it does, because it is a question of SSL Net Security, even if it’s only a small one, which affects all users who depend on these certificates, including users of Comodo products.
I am not the only one!
As I mentioned, Netcraft themselves say that it isn’t a security problem. Also, you mentioned that Google is doing this because of NSA revelations, but neither the Zdnet article nor the announcement by Google mention anything about the NSA.
I just have to ask, do you have an issue regarding this article that is relevant to Comodo Dragon? This is the Comodo Dragon forum, after all.
When a user posts in a non matching board we can move it. Please use the report this post function to notify us. Please stay civil an respectful.
Google is aggressively pursuing an agenda as recognised by Netcraft:
Despite Google’s aggressive stance, many of Google’s own certificates did not comply with some of the Baseline Requirements: in the September 2013 Netcraft SSL survey, almost 500 Google certificates did not contain a URL to an OCSP responder or include a stapled OCSP response (making the certificates irrevocable in Firefox). Since the survey ran in mid-August, a large number of Google’s certificates have been replaced and now contain an OCSP URL, but a few non-compliant certificates are still in use including one on Zagat.com. The Zagat.com certificate also has an incomplete SAN record (it does not contain the hostname from the Subject Common Name field).
To return to the point of view taken earlier I would like to point out that Google is not a CA who has contracts to which they are legally bound. Google could also think of a more friendly strategy where companies with these certs are informed about the new guide lines and them to change on a voluntary basis.
To me that sounds like you are saying that the ZDNet report talked about NSA snooping. At the very least it’s misleading.
As far as it not being a security issue, that wasn’t in the ZDNet article, it was in the Netcraft article linked in the ZDNet article. It says, “Whilst exceeding this validity period constraint isn’t itself a security problem it slows downs the pace of change within the industry — with a shorter maximum validity period, browsers can rely on legacy behaviour disappearing and can remove insecure functionality more rapidly.” When you think about it it does make some sense. The 60 month limit is kind of an arbitrary figure. It’s not like once the certificate is 61 months old it starts to spoil. Also, with an 18 month window to correct these issues and a 60 month validity period limit, many certificates will still be well under the 60 month period once the requirement takes effect in Chrome.
The ZDNet article I think is a little misleading here too, though. They make it sound like the figures of GoDaddy and Comodo apply to all of the baseline requirements, but the Netcraft article specifies that they apply to only the 60 month validity period.