TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown

TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown . “During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with ‘HTTPS’ or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any. Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.”

CBR: US TLS Certificates Left to Die As 20th Day of Shutdown Passes

CBR: US TLS Certificates Left to Die As 20th Day of Shutdown Passes. “As 400,000 federal staff are furloughed and many received a pay check this week that had zero dollars in it, government employees are remaining at home, while essential staff are calling in sick in protest. This is causing the day-to-day maintenance and upkeep of department websites to lag into dangerous territory. It is estimated that over 80 websites with the .gov domain now have expired TLS certificates as no IT staff are currently being paid to maintain the .gov websites.”

Ars Technica: Let’s Encrypt takes free “wildcard” certificates live

Ars Technica: Let’s Encrypt takes free “wildcard” certificates live. “In July of 2017, the nonprofit certificate authority Let’s Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free “wildcard” certificates to enable secure HTTP connections for entire domains. Today, Let’s Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.”

The Register: Google to kill Symantec certs in Chrome 66, due in early 2018

The Register: Google to kill Symantec certs in Chrome 66, due in early 2018 . “Google has detailed its plan to deprecate Symantec-issued certificates in Chrome. The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild.”

Encrypt all the webpages: Let’s Encrypt to offer wildcard certificates for free (Ars Technica)

Ars Technica: Encrypt all the webpages: Let’s Encrypt to offer wildcard certificates for free. “Let’s Encrypt, the free and open certificate authority (CA) launched as a public service by the Internet Security Research Group (ISRG), says it will begin providing free “wildcard” certificates for Internet domains in January 2018. Wildcard certificates allow anyone operating a domain to link a single certificate to multiple subdomains and host names within a domain.”

CBR: Symantec dealt major blow as Google loses trust in security certificates

CBR: Symantec dealt major blow as Google loses trust in security certificates. “Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates. This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less. The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.”

Google Starts New Log For Untrusted Certificate Authorities (CAs)

Google has started a new log for untrusted Certificate Authorities (CAs). “The log, dubbed Submariner, is designed to act as a public record of root certificates issued by certificate authorities (CAs) that were once trusted but now withdrawn from root programs. It also includes roots issued by CA’s that are not yet trusted by browsers, Martin Smith, software engineer with Certificate Transparency, wrote in a blog post this week. A CA is a trusted entity that issues digital certificates to verify or authenticate identity on the Internet.”

Google to Symantec Root Certificates: Step Off

Google is formally banning/distrusting Symantec root certificates. “Over the course of the coming weeks, Google will be moving to distrust the ‘Class 3 Public Primary CA’ root certificate operated by Symantec Corporation, across Chrome, Android, and Google products. We are taking this action in response to a notification by Symantec Corporation that, as of December 1, 2015, Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements. As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”