Askdeveloper Podcast

- Follow up on Encryption episode (Google blocking Symantec certs) ○ Sep 2015 incident (Thawte issuing a goolge.com cert without authorization. Attributed to employee error and resolved by termination § Oct 2015 Symantec disclosed 23 test certs issued without owners knowledge, more certs uncovered by Certificate Transparency logs, symantec extended the audit and found additional 164 certs, and 2458 certs issued for domains never registered https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html § Jan 19 2017, Mozilla reported more misuse https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/fyJ3EK2YOP8/yvjS5leYCAAJ § Mar 23, 2017, google posts a report of 30,000 bad certs from symantec, proposing a gradual plan to distrust symantec till actions taken to ensure trust https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs%5B1-25%5D Extended validation vs. Domain validation certs (mostly technically identical -EV may use stronger enc- but diff