amazon « NinerNet Communications™ (Blog)

A cursory and superficial analysis of the Google/Symantec “knife fight”

20 November 2016 07:32:16 +0000

There is an African proverb: “When elephants fight the grass suffers.” I think this fairly describes the “knife fight” — a popular term in some recent media coverage of the American presidential transition — between Google and Symantec recently.

As described on our status blog, a bug (Google, Symantec) in the Google Chromium web browser caused Chromium users to see certificate errors when trying to access websites secured with valid certificates issued by Symantec and it’s subsidiaries — e.g., Geotrust, RapidSSL, Thawte and possibly others too. This included large websites such as Amazon, Flickr and Yahoo.

The knife fight first came to our attention probably a year or so ago, likely in an email from the certificate authority (CA) that we use for most of the SSL certificates we sell to clients and use ourselves. That CA is RapidSSL, a subsidiary of Symantec.

Now, it seems that Symantec did something bad in 2015: they created some certificates for domains that had neither requested nor authorised them. This was likely for testing purposes, although you do have to wonder about the IQ of the person at Symantec who authorised this. Google was particularly annoyed, because two of those certificates were for google.com and www.google.com.

What followed was some serious holier-than-thou public finger wagging at Symantec by Google, pontification worthy of a schoolmarm armed with a wooden ruler rapping the knuckles of the Symantec child. Bad, bad Symantec, now we’re going to shame you and be nasty to you in public, and tell you how you should be running your business. Which is all well and good, because Symantec did something stupid and should suffer the consequences.

One of those consequences was Google using the power it wields by virtue of the fact that it creates the most popular web browser on the planet — power that Microsoft used to wield, and also abused — to single out Symantec certificates for special treatment. (Why Google Chrome [and its progenitor Chromium] are so popular is beyond me. I’ve used Chromium and Chrome as secondary browsers on Linux and Windows machines, but my personal experience is that it’s slower and less configurable than Firefox.) Starting in June 2016 Google required Symantec to jump through hoops it doesn’t require of other CAs. Is that abuse of power? Some say no, and it’s difficult to disagree with them. However, Google then also did something bad and stupid themselves, by creating a situation that led to what they’ve called a “time bomb”, meaning that most (if not all) Symantec certificates stopped being trusted by Google Chromium in early to mid-November.

The upshot of this is that it was innocent third parties — the proverbial grass, the customers of Symantec that bought their certificates, and some users of Chromium — that were hurt by this knife fight. I’d love to know how much business Amazon lost as a result, and if we can expect a lawsuit and a payout from Google.

Tags: amazon, certificates, chromium, flickr, google, microsoft, rapidssl, secure sockets layer, ssl, ssl certificate, ssl/tls, symantec, tls, tls certificate, transport layer security, yahoo
Categories: Interest
1 Comment »

Entrusting your privacy to “the Cloud”

29 February 2012 23:59:52 +0000

As a company NinerNet is — and I personally am — a bucker of trends, a refuser of “the easy way”, an anti-“fashionista”, and an advocate of low-level simplicity. This can, at times, make us look like Luddites, but we’re not quite that bad. For example, we’ve joined the trend over the last few years of using the new electric light rather than burning torches to light the office.

The trend we haven’t joined is that of entrusting every scrap of data to “the Cloud”. And this is where what I call “low-level simplicity” comes in. Sure, it might be “easy” to set up a Gmail account, or to use Google Apps to host email on your company domain, or to use Blogger (also owned by Google) or WordPress.com to host your blog. It may even eventually be true, as one client told me recently, that websites are passé and have been replaced by Facebook! (Heaven help us if that prediction ever comes true!) But is it really easier?

In evaluating any course of action, one has to conduct a cost-benefit analysis. Even getting out of bed in the morning involves a cost-benefit analysis, so choosing where to store your private email and sensitive company documents certainly does too. But the costs and the benefits are not confined to the beginning of the endeavour; the costs and the benefits run the entire life of the course of action, from set-up to tear-down — whether or not that tear-down is voluntary and planned.

So if you want to entrust all of your data to the Cloud, please be my guest. Just remember to consider what might happen to that data once it’s beyond your control, how you might deal with the situation if the company you’ve entrusted it to loses it or disappears, what your losses will be if the company decides to give access to your data to someone (e.g., a government or someone undesirable who gains access to the data illegally or through a company takeover), and how you’re going to deal with the situation (and how much it’s going to cost) when you decide to switch systems. So it was free and easy to set up, but will it be free and easy to take down?

The paradigm shift, in my opinion, seems to have been the move from keeping all of your data locally and backing it up remotely (even if it involved driving back-up tapes to a warehouse across town), to keeping all of your data remotely and backing it up … where? Locally, or on another remote system, probably owned by the same company where your data is primarily stored? Good questions. Many of these systems (Cloud and otherwise) that are supposed to “help” you and make your life “easier” with respect to technology really just add a higher-level layer of complexity on top of lower-level simple protocols that have been running the Internet (just fine, thank-you very much) for decades.

Anyway, this is a long-winded introduction to Two honest Google employees: our products don’t protect your privacy. In that article security and privacy researcher Christopher Soghoian explodes the myth — if, in fact, the myth existed in the first place among people who actually think about this stuff — that Cloud companies like Google care one jot about the privacy of your data. In fact, Google’s business model — those ubiquitous adverts next to everything you see on the Web these days — relies on your data being open and easily read. Reading a steamy email from your husband about last weekend’s getaway? Yeah, the ads off to the side might also be NSFW.

Here’s a preview:

Google’s products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance).

… if the files that I store in Google docs are encrypted or if the files I store on Amazon’s drives are encrypted then they are not able to monetize it …. And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications. … their business model is in conflict with your privacy.

Read the comments too. Unlike on some blogs, these comments are intelligent and worth reading … with one exception. Oh, and Soghoian’s The New York Times article (When Secrets Aren’t Safe With Journalists), to which he refers, is worth reading too.

Don’t fool yourself. As with anything, use the right tool for the job, and be aware of the strengths, weaknesses, limitations, costs and overall suitability of the tool you choose.

Tags: amazon, blogger, cloud computing, facebook, free and easy, google, google apps, government surveillance, journalism, new york times, secrets, the cloud, trends, wordpress
Categories: Interest
Comments Off

Corporate Blog

A cursory and superficial analysis of the Google/Symantec “knife fight”

Entrusting your privacy to “the Cloud”