Expect an increase in browser privacy and security warnings

Martin Brinkmann
Aug 24, 2018
Firefox, Google Chrome
|
31

Internet users will soon experience an increase in privacy and security warnings displayed by the web browsers that they use to connect to Internet sites.

Users of Google Chrome will see an increase in "Your connection is not private" security messages and users of Mozilla Firefox will receive more "Warning: Potential Security Risk Ahead" warnings in the browser.

Google, Mozilla and other browser makers revealed plans to distrust all certificates issued by Symantec in web browsers in 2017. Several certificates were issued in the past that did not comply with industry standards and investigation in the matter revealed that "Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight".

Google and Mozilla revealed a roadmap for the browsers to distrust all certificates issued by Symantec. Starting October 2018, all versions of Google Chrome, Mozilla Firefox, and other browsers will distrust all certificates issued by Symantec.

Internet users who run development versions of Chrome or Firefox, currently Chrome Canary or Development, and Firefox Nightly, will notice certificate warnings when they connect to sites that use Symantec certificates.

A high profile site that still uses Symantec certificates is PayPal

Google Chrome

chrome certificate error

Google plans to remove the Symantec Root Certificate from Chrome 70 out October 16, 2018 on the Stable channel. It is then that Chrome will display error messages when users try to connect to sites that use Symantec issues certificates.

Google Chrome's notification reads:

Your connection is not private.

Attackers might be trying to steal your information from [SITE] (for example, passwords, messages, or credit cards).

NET::ERR_CERT_SYMANTEC_LEGACY

A click on the error message displays details including the issuer (which in the case of PayPal is Symantec) but no options to bypass the error.

Mozilla Firefox

Mozilla plans to distrust the Symantec Root Certificate in Firefox 63, out October 2018 on the Stable channel.

Mozilla Firefox displays a different notification when you load sites with Symantec certificates in the web browser.

firefox warning security

It reads:

Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to [SITE]. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

[SITE] has a security policy called HTTP Strict Transport Security (HSTS), which means that Nightly can only connect to it securely. You can’t add an exception to visit this site.

No option to bypass the warning is provided.

Website and server administrators and organizations have until October to deal with the issue at hand. It is necessary to replace the Symantec certificate with a certificate issued by a Certification Authority that is still trusted. Symantec acquired several Certification Authorities such as Thawte or RapidSSL in the past and certificates issued by these companies need to be replaced as well.

Closing Words

Internet users will see an increase in privacy and security warnings on the Internet. Many companies will switch to a different certificate before the deadline but not all will do in time or at all.

Now You: Did you encounter Symantec-related certificate issues in the past already? (via Caschy)

Further reading:

Summary
Expect an increase in browser privacy and security warnings
Article Name
Expect an increase in browser privacy and security warnings
Description
Internet users will soon experience an increase in privacy and security warnings displayed by the web browsers that they use to connect to Internet sites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. anon122425252 said on May 1, 2023 at 8:51 pm
    Reply

    Yay!

  2. Henning said on August 30, 2018 at 8:45 am
    Reply

    This is an expected behavior, see https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/.

    You can disable this prompt by change security.pki.distrust_ca_policy to 1.

  3. daveb said on August 26, 2018 at 8:57 pm
    Reply

    making these warnings even more useless than they were before. :\

    1. John Fenderson said on August 27, 2018 at 8:03 pm
      Reply

      @daveb

      I think this is a real risk that people seem to be ignoring. Warning screens become less effective as their frequency increase. The point at which you’re just training people to bypass them without investigation is lower than many people think.

  4. shawross said on August 26, 2018 at 12:43 pm
    Reply

    I wouldn’t be surprised if this was related to the US government clamping down on State Hackers.

    It might be catching others in the net also.

    But overall the extra security is a good thing IMO.

  5. Anonymous said on August 26, 2018 at 4:16 am
    Reply

    I’m not interested to know why corporations like Google or Mozilla don’t trust Symantec anymore. I just know they trust Comodo which is enough to me to laugh.

  6. Super Man said on August 25, 2018 at 10:39 pm
    Reply

    After all of these warning, blocked sites etc..
    I think of the story of the boy who cried wolf.

  7. John said on August 25, 2018 at 1:55 am
    Reply

    In the image of the Firefox nightly, it says that you can not add an exception for the site, leaving “go back” as the only option. Is that because it’s the nightly build and they want to make sure beta-testers are getting the certificate every time, or do they actually plan to not allow people to get around their block when this becomes part of their regular stable release?

    I agree with what Google and Mozilla are trying to do here, but I think that the users still needs the option to override. Even with user defined exceptions allowed, there will still be a lot of pressure on sites to switch certificate issuers. However, it wouldn’t be right to block users from accessing those sites in the meantime, or to block them from legacy sites that aren’t maintained (After the appropriate warning is issued, of course.).

    1. Martin Brinkmann said on August 25, 2018 at 6:26 am
      Reply

      PayPal uses HSTS and that is why you can’t bypass the warning. You can bypass it on sites that don’t use it, e.g. https://www.eurosport.de/

  8. Clairvaux said on August 25, 2018 at 1:25 am
    Reply

    Some of those security warnings are annoying. A get a big popup by Firefox “This connection is not secure” when trying to enter credentials in some lowly forums, which makes login difficult. I don’t care. It does not need to be secure. There’s nothing in there, no money, no actionable way to hack me, nothing. And I use aliases, and long, random, unique passwords for all sites, plus disposable email addresses. So give me a break.

  9. Dan said on August 24, 2018 at 6:32 pm
    Reply

    There are a great deal of legacy web sites around, that are not maintained and thus not updated to pass these policies. But they still contain lots of useful information. And they don’t need to be “secure” since they don’t deal with sensitive information. Remember the days before internet giants? When we had a myriad of smaller websites, dealing with narrow but interesting topic? My guess is that we will see even less of these tomorrow. While the intentions of browser vendors is good, it is also eradicating the “multicultural web” in favor of tech giant and walled gardens.

    1. Jessica said on August 25, 2018 at 4:06 pm
      Reply

      > And they don’t need to be “secure” since they don’t deal with sensitive information.

      False. This is a misconception of what security, safety, and privacy are.

      1. Marti Martz said on August 26, 2018 at 9:56 am
        Reply

        > False

        Depends on the implementation of the site. Most of the time it is a truism when no sensitive information exists. Encryption always utilizes more resources.

        “Security” … not always needed for simple documentation/representation. False sense of security is always a factor.

        “Safety” … see below culling notation. ;)

        “Privacy”, on the other hand, is usually a factor in the wireless arena as most of the younger generation is staring at their portable devices while crossing the street (perhaps hopefully getting culled by Darwinism ;). out with that “someone special” staring at devices instead of paying attention to those people in irl, etc. Social responsibility should be a real factor first imho in the aforementioned use cases.

        One can definitely be too paranoid about all of these. One should also be aware of the risks when getting out into the world. It’s never been safe and on that pessimistic note probably never will be. Why would the internet be any different? (rhetorical). Keep options open is the optimistic, adult, approach.

      2. Jessica said on August 27, 2018 at 3:13 pm
        Reply

        HTTPS consuming more resources is true but it implies a problem that doesn’t really exist: https://istlsfastyet.com/

        Encryption assures the integrity of the data, it doesn’t have exclusively to do whether the information being exchanged is sensitive or not.

      3. Tom Hawack said on August 26, 2018 at 10:26 am
        Reply

        @Marti Martz,
        “One should also be aware of the risks when getting out into the world. It’s never been safe and on that pessimistic note probably never will be. Why would the internet be any different? (rhetorical).”

        Perhaps we have abetter view of dangers in the real world. I’d rather compare the Web as it is today to an intelligence officer’s hostile environment : we need to be briefed to survive (not physically of course), but is it in the human nature to have the knowledge and skill of a trained officer?

        No. And this explains why browsers are more and more in the prevention when they know most users are as relaxed as a tourist visiting the Niagara Falls. Meanwhile trained officers cannot move around as they intended because the headquarters are interfering too much in their own odysseys. Always the same rule : security versus privacy.

      4. John Fenderson said on August 27, 2018 at 5:05 pm
        Reply

        @Tom Hawack: “Always the same rule : security versus privacy.”

        I don’t think that’s the tradeoff at all. Privacy is a subset of security, not an adversary to security.

      5. Tom Hawack said on August 27, 2018 at 5:18 pm
        Reply

        @John Fenderson, I don’t think privacy is a subset of security because privacy issues maay be encountered without the slightest impact on security, i.e. Google services to name the major one. I even believe Web security is offered for the price of privacy. Major Web companies take security very seriously whilst privacy not at all, their argument concerning privacy invasion is that it’s for a batter user experience which includes his security, in the same way intelligence agencies and administrations refer to national security when it comes to invading users’ privacy. This is why, given the scheme is so obvious, I state with an excessively low vainglory that the big deal on the Web is definitely security versus privacy. This dialectic has been known since always as the very equation of mafia. The Web has become a mafia, let’s just face it.

        From there on it is possible to strive for privacy without getting held by mafia-type corporations and remain in security as well. Burt a user who aims at this refusal of established companies has to move his ass and thing, search. It won’t come to him as mama’s spoon.

      6. John Fenderson said on August 27, 2018 at 6:19 pm
        Reply

        @Tom Hawack

        “privacy issues maay be encountered without the slightest impact on security, i.e. Google services to name the major one”

        Again, I disagree. Google services represent a security risk, precisely because they invade privacy. They increase your vulnerability to Google. They may (or may not) reduce your vulnerability to other attackers, but in that case, it’s merely shifting your vulnerability from other attackers to Google.

        “their argument concerning privacy invasion is that it’s for a batter user experience which includes his security”

        Their argument assumes that being secure from them isn’t important. That’s a point I very much disagree with them about, so this line of argument seems fallacious to me.

      7. Tom Hawack said on August 27, 2018 at 6:43 pm
        Reply

        @John Fenderson, I guess at this point we have to define how we understand privacy and security.

        For me privacy is what concerns our personal life essentially in what it is related to the “real” world (address, phone, profiles (rel., pol, soc. etc) whilst security (on the web) what is inherent in the life of a computing device, not ours.

        When it comes to security as I understand it, those companies denigrated for their privacy invasion do a good job, they spend millions to secure the Web, to assist it, be it Microsoft, Google (not sure about Facebook :=) ). They spend because they care for the source of their income : no Web, no Web advertisement, no money, brother! From there on ties rise naturally with State security, with privacy intrusion arguments serving both business and state defense but with totally different motivations, which makes the privacy deal the hardest to challenge from a user’s approach.

        That’s how I see it.

      8. John Fenderson said on August 27, 2018 at 8:00 pm
        Reply

        @Tom Hawack

        Ah, we do indeed define these things differently. For me, security is about control of my physical space, of the operation of my computers, and of my data. As such, privacy is a subset of security (privacy is about control of my data).

        “those companies denigrated for their privacy invasion do a good job”

        I’m not arguing against their pro-security activities. I’m arguing that if those activities require spying on me, then they haven’t really increased my security — they’ve only shifted who I am vulnerable to. Instead of the attackers that they are working against, I become vulnerable to those companies themselves.

        From my point of view, this is not really helpful. It doesn’t reduce the amount of work or vigilance I have to engage in to be as secure as is reasonable, it only changes the spectrum of threat vectors that I have to pay the most attention to. So, it’s a bit six of one, half dozen of the other.

    2. John Fenderson said on August 24, 2018 at 7:35 pm
      Reply

      @Dan: “Remember the days before internet giants? When we had a myriad of smaller websites, dealing with narrow but interesting topic?”

      Those sorts of websites are still around, and as healthy as ever. I would argue that you’re reading one of them right now!

  10. Mike said on August 24, 2018 at 4:30 pm
    Reply

    These warnings can be good.
    But I notice many of these on the blacklist is forums and maybe warez related ..shh.. sites.
    So its not that they only block malware related sites but they censor content so that you won’t find that pirated software that was located on this forum or whatever site.
    And you will give up and just pay for the software. That’s their golden plan.
    And that is why I turn off this in about:config. Don’t know how to do that in chrome as I don’t use chrome for this purpose.

  11. WorknMan said on August 24, 2018 at 3:57 pm
    Reply

    Great. That’s just more prompts people are going to click past without reading, once they see it for the 100th time.

    1. David Boucher said on August 25, 2018 at 12:43 am
      Reply

      Exactly; just more crap I have to click through… Sometimes I hate the internet; Web Sites that are “filthy” with ads unless you install an ad-blocker, then you have to deal with popups and [censored] JavaScript BECAUSE you installed a [censored] ad-blocker.

    2. Anonee said on August 25, 2018 at 12:05 am
      Reply

      You can’t skip this warning though. The only thing that stops it from popping up is if the site stops using a certificate from Symantec.

  12. TelV said on August 24, 2018 at 2:15 pm
    Reply

    Wow! You’d think that with all the lolly Paypal has in the bank they could afford to switch to a trusted CA by now.

  13. John G. said on August 24, 2018 at 1:31 pm
    Reply

    Every step towards major security and browsing improvement is always welcome! :)

  14. klaas said on August 24, 2018 at 1:17 pm
    Reply

    Symantec: funny, the 1st time I came across it was as an antivirus program way back in the Win 95 days. It was useless, and ever since when I bought a PC with Symantec pre-installed I came to the conclusion that it wasn’t worth it. I have not changed my mind, and what is now exposed it totally disgusting.
    Thanks for bringing it to our attention, Martin.

    1. stefann said on August 24, 2018 at 7:59 pm
      Reply

      @klaas : There’s a big difference between the Home versions and the Corporate versions when it comes to safety. Ofcourse, You should never use the pre-configured settings in any AV either, they let too much to bypass. I run Symantec’s Corporate versions since years back and never had any infections when checking with other security suites on boot-cd’s or antimalware software. The Home versions are mostly useless though….

  15. Tom Hawack said on August 24, 2018 at 1:15 pm
    Reply

    “Google, Mozilla and other browser makers revealed plans to distrust all certificates issued by Symantec in web browsers in 2017.”. Many companies including high profile ones (PayPal) don’t hear the word “plan”, they don’t correlate to and consider the security involved, the only thing they understand is enforcement, and enforcement it will be if their sites can no longer be accessed. And meanwhile those irresponsible companies dare repeat that they consider the user’s security and privacy as essential as it can be. The only policy they know is to be tangent to legislation and bend when their wallets are scratched. Privacy and security is sooo expensive, poor darlings.

  16. Tomatot said on August 24, 2018 at 12:37 pm
    Reply

    I’m on Chrome 70 and indeed I have this message on a lot of websites including eurosport or paypal indeed. I didn’t understand at first why I got these but now it makes more sense. Thanks.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.