• TheCPUWizard (unregistered)

    Willing to be the version they were using was past EOL.

  • Virtual (unregistered)

    TRWTF is they were not staying on top of Java updates. At least use a current release of 7, damnit...

  • RLB (unregistered)

    Decent (if not unexpected... @#&^#& Google) WTF, but... lay off the Said Bookisms, Jane.

  • Angus (unregistered)

    Filed under "what happens when you don't keep up with the current patch versions."

  • AbaddonsJanitor (unregistered)

    Most days, an alpaca farm upstate sounds like the better option.

  • Qazwsx (unregistered)

    Google unilaterally pushing updates without any regard for how it would break any existing processes older than five minutes? Say it ain't so!

  • King Koala (unregistered)

    Wait, so let me get this straight. Someone deploys software that relies on checking certs (and cert chains back to trusted roots). They then never update said trusted root certs in their shipped software. Then blame someone else (Google) for returning a cert that's chain signed back to a newer known trusted root that is unknown according to their software (because it has assumed a fixed, unalterable, carved in stone set of root CA's). That's the real WTF.

  • Chronomium (unregistered)

    Opinion: This article would have been better if it were written in the narrative "as it happened" style of most other feature articles, instead of as a conversation between two people after the fact. It reads as clunky, detached, and second-hand.

  • Koro (unregistered)

    TRWTF is that Java doesn't use the system certificate store.

  • RichP (unregistered)

    "it's almost enough to make a girl quit and start an alpaca farm upstate."

    Or quit and start writing urban fantasy novels (whatever those are)?

  • I'm too dumb (unregistered)

    What's the WTF here? Is it ... clients running slightly outdated software? Or Google not making a big enough fuss when the cert changes? Sure, I guess that's slightly inconvenient, but it's hardly a WTF. I sometimes run into bigger problems just integrating a new version of an existing library. Or is it something else?

  • Fernando (unregistered) in reply to Chronomium

    Completely disagree. It flows beautifully, and is the most interesting article in days.

  • P. Wolff (nodebb) in reply to Qazwsx

    "it ain't so!"

    Do you feel better now?

    Even if you have more cash at your disposal than two dozen UN members you can't do anything you like. Somtimes it would be quite convenient if 2+2 were 5 ...

  • t0pC0der (unregistered)

    The real WTF is thinking one of these poorly written articles from this author would actually be decent. The next good one will be the first

  • ZB (unregistered)

    You know what would be awesome? A story that actually explains WTF the WTF is for people who don't work with this sort of thing.

  • Ah (unregistered)

    I've been super disappointed in most of these "WTFs" lately. Most of them are just "I don't know what I'm doing so I'm going to blame someone else."

    I think the time has come to remove TDWTF from my RSS feeds...

  • Friedrice the Great (unregistered) in reply to RichP

    Is "urban fantasy" a synonym for "software documentation"?

  • Norman Rasmussen (google)

    https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html

    “It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.’” Douglas Adams, The Hitchhiker's Guide to the Galaxy (Hitchhiker's Guide to the Galaxy, #1)

  • MiserableOldGit (unregistered) in reply to Friedrice the Great
    Is "urban fantasy" a synonym for "software documentation"?

    If it's written in this style I really, really hope not.

  • JustPassingBy (unregistered)

    three excellent WTFs, sadly none of which was the point of this article:
    1/ java incorporated a root created in 2006 only ten years later, in 2016
    2/ customers do not update their software (hardly a surprise, this one)
    3/ customers do not read important security announcements that warned about that change almost a year in advance
    plus meta-wtf 4/ so called admin is blaming third party for the three above

  • Bulb (nodebb)

    I'd say the WTF is actually the lack of provision for key updating in the X.509 framework. If there was something where updated root certificates could be downloaded, signed by the previous ones and perhaps cross-signed for added layer of security, deployed systems could simply fetch them and everything would have them in timely fashion. But no, the way it is every vendor must take care of distributing them themselves.

  • Wyrd (unregistered) in reply to RichP

    Urban fantasy based around a girl and her alpaca farm in upstate NY.

    I'd read it.

    Furry cows moo and decompress.

  • Dan (unregistered) in reply to Bulb

    Such a provision would perpetuate a compromised root key.

    1. Break, steal, or otherwise compromise target root certificate
    2. Issue a certificate update using your forged certificate.
    3. ????
    4. Profit!
  • Rob J (unregistered)

    In reply to P. Wolff

    2+2 is 5 for large values of 2.

  • david (unregistered) in reply to Norman Rasmussen

    Everyone knows that “It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.’” comes from the Hitch-Hiker's Guide to the Galaxy, you don't need to reference the source.

Leave a comment on “Thanks, Google”

Log In or post as a guest

Replying to comment #:

« Return to Article