Amazon Adsystem SSL certificate will be distrusted in Chrome M70

By: (plus.google.com) +David Herron; Date: December 28, 2017

Tags: HTTP Security

Google is pushing the Web towards using HTTPS Everywhere. The browser makers are collectively preparing to DISTRUST PKI certificates issued by Symantec Corporation’s PKI prior to June 1, 2016. It's been determined those certificates had some kind of badness to them, and that Symantec had allowed untrustworthy partners to distribute SSL certificates. To remedy the situation browser makers will shortly begin phasing in a repudiation of these SSL certificates. The plan is resulting in ominous warning messages in browser JavaScript console saying that Chrome M70 will refuse to load affected resources. In this case it will impact advertising assets loaded from Amazon's infrastructure ... eep

The issue is not solely affecting (amazon-adsystem.com) amazon-adsystem.com SSL certificates. It is affecting every service that's using Symantec-issued SSL certificates. In my case I see two affected sites, the aforementioned Amazon Advertising system, and the Adthis service.

The SSL certificate used to load resources from https://s7.addthis.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
The SSL certificate used to load resources from https://images-na.ssl-images-amazon.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
The SSL certificate used to load resources from https://aax-us-east.amazon-adsystem.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

The issue here is a form of the "mixed content warning". That is, when implementing HTTPS support for a website you must ensure that all content loads via HTTPS. This applies to all the asset files, CSS, JavaScript, images, smellovision, and anything else beyond the HTML page. A failure to ensure all content loads via HTTPS results in the mixed content warning. Supposedly stuff loaded via HTTP can be subverted using a man-in-the-middle attack, which could be bad.

In this case, the content is being loaded via HTTPS, but the browser makers have decided to repudiate the particular certificate provider. (Symantec) Webmasters are being given a year or so to fix up their act, and to switch away from the affected Symantec-issued SSL certificates.

We can do that fairly easily for assets loaded from our own server(s). But in this case the assets are loaded from 3rd party services, and we cannot control what those services do.

Do we own Amazon's service? Nope. Nor do we own the Adthis service. We may be using Amazon advertising on our website, and the JavaScript code used by Amazon advertising in turn causes things to be loaded from an Amazon server. As you can see in the messages above, it's an HTTPS URL but the SSL certificate was issued by Symantec.

The messages include a Short URL, which redirects to: (security.googleblog.com) https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

That page gives a full explanation of what's going on and why the action is being taken.

What's more important is the timeline of actions:

  • October 24, 2017, Chrome began printing the above warnings in the developers console.
  • December 1, 2017, Symantec was supposed to do something useful
  • March 15, 2018 - Chrome 66 goes to Beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016.
  • April 17, 2018 - Chrome 66 goes to Stable
  • September 13, 2018 - Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure.
  • October 23, 2018 - Chrome 70 goes to Stable

In other words - in April 2018, Chrome will start displaying security warnings based on these repudiated Symantec-issued certificates. Then in October 2018 another step will be taken, that will prevent loading assets from affected URL's. Both of these steps can affect readers of our websites.

What can we do? We don't own these 3rd party services. One hopes that those services are being run by folks who are aware of the issues, and who will issue a fix before April 17, 2018 (the first date at which users will be affected).

If those services drop the ball it will be necessary to find alternate services. In the example above - instead of using Addthis, switch to Sharethis (or some other similar service). Or switch to Google Adsense advertising if Amazon hasn't fixed their advertising system by then.

« Smith was 13, Capaldi 14, Whittaker 15, how many regenerations does The Doctor have remaining? Reading Kindle books on Linux, supporting a switch to Linux »
2016 Election 2018 Elections Acer C720 Ad block Air Filters Air Quality Air Quality Monitoring AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga and Jon Pertwee Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Data Big Finish Big Science Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Climate Change Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Conservatives Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Cybersecurity Daleks Darth Vader Data backup Data Formats Data Storage Database Database Backup Databases David Tenant DDoS Botnet Department of Defense Department of Justice Detect Adblocker Developers Editors Digital Nomad Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers eGPU Election Hacks Electric Bicycles Electric Vehicles Electron Eliminating Jobs for Human Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox Fifth Doctor File transfer without iTunes FireFly Flash Flickr Fraud Freedom of Speech Front-end Development G Suite Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Green Transportation Hate Speech Heat Loss Hibernate High Technology Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man iShowU Audio Capture iTunes Janet Fielding Java JavaFX JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kext Kindle Kindle Marketplace Large Hadron Collider Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID Macintosh macOS macOS High Sierra macOS Kext MacOS X setup Make Money Online March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Network Attached Storage Node Web Development Node.js Node.js Database Node.js Performance Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source and Patents Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenJDK OpenVPN Palmtop PDA Patrick Troughton PayPal Paywalls Personal Flight Peter Capaldi Peter Davison Phishing Photography PHP Plex Plex Media Server Political Protest Politics Postal Service Power Control President Trump Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Republicans Retro Computing Retro-Technology Reviews RFID Rich Internet Applications Right to Repair River Song Robotics Robots Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Networks Social Media Warfare Social Network Management Social Networks Software Development Software Patents Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Tegan Jovanka Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Tom Baker Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Twitter Ubuntu Udemy UDOO US Department of Defense Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Walmart Weapons Systems Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Webpack Website Advertising Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization