Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates

On March 24, Google team Ryan Sleevi published a post in forum regarding distrust/downgrade Symantec (formerly known as Verisign) EV SSL.

Chrome downgrade Symantec EV SSL

Below is the statement from Google Chrome team:

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years. To restore confidence and security of our users, we propose the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.

  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.

  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

Motivation

As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.

On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.

These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.

The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates to the community regarding these issues. Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them.  Further, even after issues have become public, Symantec failed to provide the information that the community required to  assess the significance of these issues until they had been specifically questioned. The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.

In January 2015, Symantec-issued certificates represented more than 30% of the valid certificates by volume. While changes in the CA ecosystem have seen that share decrease over the past two years, there is still a significant compatibility risk for an immediate and complete distrust. Further, due to overall TLS ecosystem concerns, we understand that it may take non-trivial effort for some site operators to find suitable solutions, as the need to support older devices may necessitate the use of particular CAs, meaning that distrust of new certificates also has significant compatibility risk.

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. This will be accomplished by gradually decreasing the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum.

The proposed schedule is as follows:

  • Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
  • Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
  • Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
  • Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
  • Chrome 63 (Dev, Beta): 9 months validity (279 days)
  • Chrome 63 (Stable): 15 months validity (465 days)
  • Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)

Continue reading Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates

5.8″ iPhone 8 Expected to Have Flat Display

Apple is widely expected to launch a 5.8-inch iPhone 8 with an edge-to-edge OLED display later this year, made possible by slimmer bezels and no Home button. And while some reports have claimed the screen will be curved, a growing number of sources expect the device to stick with a flat display.

“We anticipate Apple will adopt a flat implementation of OLED design on their special iPhone 8 model, which is analogous to the current 2.5D glass design,” IHS Markit analyst Wayne Lam, who researches and analyzes the supply chain of smartphone makers such as Apple, told MacRumors today.

iPhone 8 Concept

“Much like the recently announced LG G6, we anticipate a touchscreen with a new longer aspect ratio design to take advantage of higher coverage area of the iPhone in its entirety. This new design language is expected to become the trend for 2017, as we all anticipate Samsung’s reveal later this month,” he added.

Lam is referring to the LG G6’s 5.7-inch LCD display with a 2:1 aspect ratio, meaning the screen’s length is double the size of its width. iPhones have a 16:9 aspect ratio. Likewise, leaked pictures of Samsung’s Galaxy S8 reveal a similarly longer display with slim bezels and no physical home button.

Last month, he explained how the LG G6 achieves a large screen while remaining holdable and pocketable:

LG’s G6 is a study in creating large immersive screen designs that do not break the ergonomic requirements of the average human hand. By addressing dueling consumer demands for larger screens but yet more pocketable device, LG took on the challenge of re-imagining what a modern smartphone should look like and function ergonomically.

KGI Securities analyst Ming-Chi Kuo and Chinese research firm TrendForce have also recently said they expect Apple’s next flagship iPhone 8 to have 2.5D cover glass, which refers to the slightly curved edges that the front of iPhones have had since the iPhone 6 and iPhone 6 Plus in 2014.

The Wall Street Journal recently said Apple’s next high-end iPhone will have a curved screen, but the report did not divulge any specific details. The Korea Herald also said the device will have a curved OLED display based on a flexible plastic substrate, rather than glass, which is typically used for flat displays.

Kuo and IHS Markit analyst Kevin Wang previously expected the 5.8-inch iPhone 8 to have a curved screen, possibly with dual curved edges like the Galaxy S7 edge, but each source has since reversed course, which is understandable given Apple has reportedly tested at least ten different iPhone prototypes this year.

Japanese website Nikkei Asian Review and Barclays analyst Blayne Curtis have also outlined expectations for an iPhone with a curved display in the past, so there is clearly a divide between the rumors that might not clear up until “iPhone 8” part leaks likely begin to surface over the coming weeks and months.

One possibility is that reports calling for a “curved” screen are actually referring to the 2.5D cover glass, as seen in previous iPhone rumor cycles. Also, given the flexible properties of OLED, some reports might be simply assuming the next iPhone will have a curved display, when a flat design is still an option.

IHS Markit expects Apple to use OLED on a larger number of iPhone models in the future. Lam noted the longer aspect ratio will afford Apple new uses of the display, such as Touch Bar-like functionality. He also expects the 5.8-inch iPhone to have Touch ID embedded in the display, in line with previous rumors.

Apple’s AirPods finally go on sale in Malaysia

The unusually long wait is just began!

Apple’s AirPods are finally available to buy online after a rare delay pushed back the release by about two months.

The pricey wireless earbuds (RM 849) were listed as available for delivery today but the shipping time gonna take 4 weeks long.

AirPods 4 Weeks Shipping Time

“AirPods will be shipping in limited quantities at launch and customers are encouraged to check online for updates on availability and estimated delivery dates,” Apple said in a press release.

The earbuds will be available in Apple Stores starting next week, but still not known in Malaysia resellers.

Apple unveiled AirPods in September at its big press event for the iPhone 7 that AirPods will be available in late October, but in October, Apple delayed the launch indefinitely.

No headphone jack, no problem: Wireless headphones for the holidays

“The early response to AirPods has been incredible,” a spokeswoman for Apple said at the time. “We don’t believe in shipping a product before it’s ready, and we need a little more time before AirPods are ready for our customers.”

AirPods are incredibly light and come with a built-in microphone for phone calls and the Siri voice assistant. They also have sensors to detect when you take one of the buds out of your ear.

But many have focused on another feature (or bug) of the product: how easy it may be to lose them. For that reason, some companies have already begun selling wires for the wireless headphones.

Earn & Save Money Tips & Tricks

%d bloggers like this: