It's a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70's show

Bloody SSL...it's the final countdown


Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week.

Boom across construction area with sign denying walkers access

Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

READ MORE

Chrome 70, out on 16 October, will no longer recognise Symantec-issued certificates including legacy-branded Equifax, GeoTrust, RapidSSL, Thawte and VeriSign.

Next week's deadline completes a withdrawal of support that has been ongoing for the last year. Phase one of the process took place in April with the arrival of Chrome 66 and meant that certs issued before the start of June 2016 stopped working for users of the latest and subsequent releases of Google's browser software.

Chrome 70 marks the end of trust for all TLS server certificates issued by Symantec's old infrastructure. The decision to distrust the certs comes after Google Chrome's browser team lost "confidence in the trustworthiness of Symantec's infrastructure" following a series of transgressions against industry best practice.

The disavowal is a community response to alleged violations but Google is on the front line of implementing the shutout.

Scott Helme, the security researcher behind securityheaders.com and report-uri.com, applied scripts to web crawler data to work out which of the web's top million sites are still using Symantec certificates. A total of 1,139 were running them as of 25 September, just three weeks away from the 16 October deadline, Helme's research revealed.

Some affected sites including ferrari.com and postnord.se have changed their certs over recent days so that they are no longer throwing up warnings, but hundreds of others worldwide remain unprepared.

Helme's latest figures are an update on a similar exercise he carried out in April, when he discovered that around 500 of the top million sites were about to stop functioning smoothly in April and 4,971 in October unless they replaced their digital certificate.

Several prominent UK organisations need to change up their certificates before next week. These include Hill and Dale Outdoors (hillanddaleoutdoors.co.uk), Micro Scooters (micro-scooters.co.uk), External Invoicing (externalinvoicing.co.uk), new and used car dealer Marshall (marshall.co.uk) and HomeoVet Animal Care (homeovet.co.uk), among others.

As things stand, surfers using Chrome 70 will be confronted with a big, red warning when they visit these websites next week. Beta users are already seeing warnings that are due to go mainstream in just days. Surfers can just click past such warnings to reach a site but this is hardly behaviour to be encouraged. Any site running Symantec certs will have effectively replaced the welcome mat with the digital equivalent of a "thar be monsters" sign.

Surfers visiting sites such as used car dealer Marshal will soon see warning if a Symantec-issued cert isn't replaced

Used car dealer Marshal needs to swap out its Symantec-issued cert for new parts pronto (click to enlarge)

El Reg identified issues in the named sites on Tuesday, 9 October, after going through Helme's latest list.

Readers can verify these results by visiting the relevant sites and looking in the Developer Tools bundled with their Chrome browser. In the console there's an error message confirming these sites will trip up and stop working normally with the release of Chrome 70.

Symantec sold on its digital certificate business to DigiCert last August. Web admins have the option of either moving over to DigiCert or other providers in order to avoid problems. Those not replacing their digital certificate before the imminent deadline risk inadvertently erecting digital barriers to prospective customers.

What should people be doing?

Why are a substantial number of orgs still unprepared for a well-signposted change announced months ago? Helme added that the tweaks were far from difficult to enact.

"This should be a really easy change for organisations to make, especially given how much notice there has been for the upcoming change," he told El Reg. "Replacing a certificate is something that can be done in as little as a few minutes or up to a few days depending on your process and the type of certificate you get. Either way, the worst-case scenario still makes it possible for organisations to change their certificates before the release of M70, despite having already had months of notice."

Tardy organisations have possibly not caught up on the news of the imminent disavowal of Symantec-issued certificates despite a steady volume of coverage about the issue, Helme speculated.

"My guess for why organisations haven't replaced these certificates at this late stage only comes back to them not knowing the change is coming," he said. "There has been a lot of publicity about this change and Chrome has been reaching out to sites that would be affected, along with researchers like myself publishing details and lists of sites that will be affected. I doubt a site would choose to ignore this change and then break in the most popular browser in the world so it surely has to be that they simply don't know." ®

Similar topics

Narrower topics


Other stories you might like

  • North Korea's Lazarus cyber-gang caught 'spying' on chemical sector companies
    Crypto-coin theft isn't enough to keep these miscreants busy

    North Korea's Lazarus cybercrime gang is now breaking into chemical sector companies' networks to spy on them, according to Symantec's threat intel team.

    While the Korean crew's recent, and highly profitable, thefts of cryptocurrency have been in the headlines, the group still keeps its spying hand in. Fresh evidence has been found linking a recent espionage campaign against South Korean targets to file hashes, file names, and tools previously used by Lazarus, according to Symantec.

    The security shop says the spy operation is likely a continuation of the state-sponsored snoops' Operation Dream Job, which started back in August 2020. This scheme involved using phony job offers to trick job seekers into clicking on links or opening malicious attachments, which then allowed the criminals to install spyware on the victims' computers.

    Continue reading
  • Russian-linked Shuckworm crew ramps up Ukraine attacks
    Cyber-espionage gang using multiple variants of its custom backdoor to ensure persistence, Symantec warns

    A Russian-linked threat group that has almost exclusively targeted Ukraine since it first appeared on the scene in 2014 is deploying multiple variants of its malware payload on systems within the country.

    The Shuckworm gang – also known as Armageddon and Gamaredon – is using at least four distinct variants of its Pterodo backdoor that are designed to perform similar tasks but communicate with different command-and-control (C2) servers, according to Symantec's Threat Hunter Team.

    "The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer," the researchers wrote in a blog post Wednesday. "If one payload or [C2] server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate."

    Continue reading
  • Kaspersky cracks Yanluowang ransomware, offers free decryptor
    Step one, get some scrambled files back. Steps two through 37...

    Kaspersky has found a vulnerability in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.

    Yanluowang, named after a Chinese deity and underworld judge, is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China, Kaspersky said yesterday. The Russian security shop said it found a fatal flaw in the ransomware's encryption system and those afflicted can get a free fix to restore their scrambled data.

    Symantec's threat hunters uncovered this Windows ransomware strain in the fall and said unknown fiends have been using it to infect US corporations since at least August 2021.

    Continue reading
  • Mutating Verblecon malware in illicit cryptomining ... so far
    Symantec team warns ransomware and spying could be next

    Internet fiends are using a relatively new piece of a malicious code dubbed Verblecon to install cryptominers on infected computers. 

    The mutating malware attempts to evade detection by antivirus tools and similar defenses, meaning bad news all round if the software was used to deploy more destructive payloads — and that the crooks using Verblecon may not realize the power of the loader's full potential.

    "The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using," Symantec's threat hunting team warned today.

    Continue reading
  • Creator of SSLPing, a free service to check SSL certs, downs tools
    That freebie that saved your bacon once or twice? Perhaps it's time to drop a bit of cash on it

    A timely reminder is being issued to the effect that free web services are not the same as free software: the creator of the SSLPing service says he can't look after it anymore.

    SSLPing was a useful tool to have around. Sign up, add your servers and the service would check certificates, protocols, ciphers and known vulnerabilities. It checked versions of TLS from SSL v3 to TLS 1.2 and, importantly for some major vendors who should know better, would also bleat if certificates were due for renewal (with nags at 10 days, three days and then on the renewal date.)

    The tool was wielded by over 500 registered users, monitoring more than 12,500 TLS servers. It was lightweight and mercifully ad-free. Which appears to have become a problem for its creator, Chris Hartwig.

    Continue reading
  • How do China's cyber-spies snoop on governments, NGOs? Probably like this
    Cicada's months-long global espionage campaign marks an expansion of team's capabilities

    A China-backed crew is said to be running a global espionage campaign against governments, religious groups, and non-governmental organizations (NGOs) by, in some cases, possibly exploiting a vulnerability in Microsoft Exchange servers.

    +Symantec's Threat Hunter Team said the campaign, which aims to spy on targeted victims and steal information, likely started in mid-2021, with the most recent activity detected in February. It may still be going on, the researchers observed in a report this week.

    The Threat Hunter Team team is attributing the attacks to Cicada, also known as APT10 – a group that has been operating for more than a decade and that intelligence agencies in the US have linked to China's Ministry of State Security. The researchers are pointing at Cicada because a custom loader and custom malware that have been used exclusively by the group were found in victims' networks.

    Continue reading
  • China-linked malware targeted secure networks in 'multiple governments'
    'Daxin' malware creates backdoors and may have been used since 2013

    The United States' Cybersecurity and Infrastructure Security Agency (CISA), working with security vendor Symantec, has found an extremely sophisticated network attack tool that can invisibly create backdoors, has been plausibly linked to Chinese actors, and may have been in use since 2013.

    Symantec's threat hunting team has named the malware "Daxin" and described it as "a stealthy backdoor designed for attacks on hardened networks". The Broadcom-owned security firm says it's found samples of the malware dating back to 2013, and that features present in recent versions were also found in older cuts of the code. Those recent versions of the malware have been associated with "China-linked threat actors".

    CISA's advisory about the malware describes it as "a highly sophisticated rootkit backdoor with complex, stealthy command and control functionality that enabled remote actors to communicate with secured devices not connected directly to the internet". The agency asserts that Daxin "appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions".

    Continue reading

Biting the hand that feeds IT © 1998–2022