After a brief delay, Mozilla finally distrusted all Symantec certificates with the release of Firefox 64 this week.
In October, Mozilla postponed the distrust deadline for Symantec certificates from Oct. 23 until the release of Firefox 64 this month. In 2017, Mozilla, Google and other major browser makers had agreed on a formal plan to remove trust for all Symantec certificates, including its GeoTrust, RapidSSL and Thawte brands.
The move came after Google engineers documented a “series of failures” within Symantec’s public key infrastructure (PKI), including certificate misissuance, failures to remediate issues raised in audits and other bad habits that violated the Certificate Authority/Browser Forum’s Baseline Requirements.
Symantec agreed to the browser makers’ staged proposal to remove trust from its certificates by October of this year. Soon after the agreement was made, Symantec sold its PKI business to rival certificate authority DigiCert. While DigiCert has made progress moving customers off of the old Symantec certificates and onto new certificates issued through DigiCert’s own PKI, Mozilla felt too many websites were still using certificates that would be on the verge of being distrusted. Google adhered to the original October deadline, but Mozilla gave DigiCert additional time to update customers’ certificates.
Nevertheless, Dan Callahan, engineer with Mozilla Developer Relations, and Chris Mills, senior tech writer at Mozilla, had harsh words for the troubled Symantec PKI in the Firefox 64 release post.
“Due to a history of malpractice, Firefox 64 will not trust TLS certificates issued by Symantec (including under their GeoTrust, RapidSSL, and Thawte brands),” they wrote in the announcement. “Microsoft, Google, and Apple are implementing similar measures for their respective browsers.”
It’s unclear how many websites are still using distrusted Symantec certificates. Mozilla previously said “well over 1% of the top 1 million websites,” according to Cisco Umbrella, were still using Symantec certificates as of October.
In addition to removing trust for Symantec certificates, Firefox 64 includes new features for enhanced tab management; a Task Manger page that shows how much energy each open tab is using; and Contextual Feature Recommender, which proactively recommends add-ons, extensions and features based on individual users’ web activity.
In other news:
- Motherboard manufacturer Supermicro announced this week that it completed an investigation into allegations that a secret microchip had been implanted into its products during the manufacturing process, and it “found absolutely no evidence of malicious hardware on our motherboards.” The investigation was triggered by a Bloomberg Businessweek story in October that claimed Chinese spies had infiltrated the servers of many large U.S. companies, including Apple and Amazon Web Services, by secretly installing tiny chips in the Supermicro motherboards. The Bloomberg Businessweek report was met with skepticism and criticism from many experts in the infosec community and technology industry. While no corroborating reports have been published from other news outlets, Bloomberg Businessweek has said it stands by its reporting.
- An investigation into the Marriott data breach has put the blame on the Chinese government, according to anonymous sources cited in a New York Times report. The sources claim the cyberattack was part of a campaign conducted by the Chinese intelligence community to collect extensive personal data on American citizens, especially those with government security clearances. The New York Times report did not say whether the investigation was conducted by government law enforcement and intelligence agencies, private third-party companies or both. But the article cited additional anonymous government officials who said the Trump administration is planning aggressive actions to curb China’s hacking efforts, which will include indictments of suspected state-sponsored hackers.
- An email extortion campaign hit several U.S. companies this week with bomb threats. According to a report from infosec journalist Brian Krebs, the email messages inform recipients that a “mercenary” has planted a small bomb inside their building, and unless they pay the threat actors $20,000 in bitcoin, the bomb will detonate. The email extortion threats have hit several financial services companies, Krebs reported. But, so far, authorities in various localities have said no evidence of explosive materials have been found in those buildings and that the bomb threats aren’t credible.