Amazon Adsystem SSL certificate will be distrusted in Chrome M70

By: (plus.google.com) +David Herron; Date: December 28, 2017

Tags: HTTP Security

Google is pushing the Web towards using HTTPS Everywhere. The browser makers are collectively preparing to DISTRUST PKI certificates issued by Symantec Corporation’s PKI prior to June 1, 2016. It's been determined those certificates had some kind of badness to them, and that Symantec had allowed untrustworthy partners to distribute SSL certificates. To remedy the situation browser makers will shortly begin phasing in a repudiation of these SSL certificates. The plan is resulting in ominous warning messages in browser JavaScript console saying that Chrome M70 will refuse to load affected resources. In this case it will impact advertising assets loaded from Amazon's infrastructure ... eep

The issue is not solely affecting (amazon-adsystem.com) amazon-adsystem.com SSL certificates. It is affecting every service that's using Symantec-issued SSL certificates. In my case I see two affected sites, the aforementioned Amazon Advertising system, and the Adthis service.

The SSL certificate used to load resources from https://s7.addthis.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
The SSL certificate used to load resources from https://images-na.ssl-images-amazon.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
The SSL certificate used to load resources from https://aax-us-east.amazon-adsystem.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

The issue here is a form of the "mixed content warning". That is, when implementing HTTPS support for a website you must ensure that all content loads via HTTPS. This applies to all the asset files, CSS, JavaScript, images, smellovision, and anything else beyond the HTML page. A failure to ensure all content loads via HTTPS results in the mixed content warning. Supposedly stuff loaded via HTTP can be subverted using a man-in-the-middle attack, which could be bad.

In this case, the content is being loaded via HTTPS, but the browser makers have decided to repudiate the particular certificate provider. (Symantec) Webmasters are being given a year or so to fix up their act, and to switch away from the affected Symantec-issued SSL certificates.

We can do that fairly easily for assets loaded from our own server(s). But in this case the assets are loaded from 3rd party services, and we cannot control what those services do.

Do we own Amazon's service? Nope. Nor do we own the Adthis service. We may be using Amazon advertising on our website, and the JavaScript code used by Amazon advertising in turn causes things to be loaded from an Amazon server. As you can see in the messages above, it's an HTTPS URL but the SSL certificate was issued by Symantec.

The messages include a Short URL, which redirects to: (security.googleblog.com) https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

That page gives a full explanation of what's going on and why the action is being taken.

What's more important is the timeline of actions:

  • October 24, 2017, Chrome began printing the above warnings in the developers console.
  • December 1, 2017, Symantec was supposed to do something useful
  • March 15, 2018 - Chrome 66 goes to Beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016.
  • April 17, 2018 - Chrome 66 goes to Stable
  • September 13, 2018 - Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure.
  • October 23, 2018 - Chrome 70 goes to Stable

In other words - in April 2018, Chrome will start displaying security warnings based on these repudiated Symantec-issued certificates. Then in October 2018 another step will be taken, that will prevent loading assets from affected URL's. Both of these steps can affect readers of our websites.

What can we do? We don't own these 3rd party services. One hopes that those services are being run by folks who are aware of the issues, and who will issue a fix before April 17, 2018 (the first date at which users will be affected).

If those services drop the ball it will be necessary to find alternate services. In the example above - instead of using Addthis, switch to Sharethis (or some other similar service). Or switch to Google Adsense advertising if Amazon hasn't fixed their advertising system by then.

« Smith was 13, Capaldi 14, Whittaker 15, how many regenerations does The Doctor have remaining? Reading Kindle books on Linux, supporting a switch to Linux »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Finish Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnet Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebooks Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant DDoS Botnet Detect Adblocker Developers Editors Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox File transfer without iTunes FireFly Flickr Fraud Freedom of Speech Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Heat Loss Hibernate Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices IoT iPad iPhone iPhone hacking Iron Man Iternet of Things iTunes Java JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kindle Kindle Marketplace Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID macOS MacOS X setup Make Money Online March For Our Lives MariaDB Mars Matt Lucas MEADS Anti-Missile Mercurial Michele Gomez Micro Apartments Microsoft Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Node Web Development Node.js Node.js Database Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenVPN Paywalls Personal Flight Peter Capaldi Photography PHP Plex Plex Media Server Political Protest Postal Service Power Control Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero Recaptcha Recycling Refurbished Computers Remote Desktop Republicans Retro Computing Retro-Technology Reviews RFID Right to Repair River Song Robotics Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Warfare Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Ubuntu Udemy UDOO Virtual Private Networks VirtualBox VLC VNC VOIP Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Website Advertising Weeping Angels WhatsApp Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization