I am FURIOUS and some of you SHOULD BE too!

frm

frm

Well-known member
An elderly gentleman from the area shared a story with me in a Facebook group and I encouraged him to join my forum to post it there.

However, Norton Safe Web is marking LetsEncrpyt sites as "unsafe" or "untrusted" so, I reassured him it's safe, but, he's old and I'll give him that respect...

I'm just angry that Norton is marking these sites as unsafe when they clearly aren't. You need to go through a 2-week application process with Safe Web OR purchase a RIDICULOUSLY priced $399/yr Symantec SSL cert (I've only ever paid like $10 per year maximum for mine before I heard of LetsEncrypt) for automatic trust.

What makes me even angrier is after further research, some sites that are submitted for review have been 'in review' for THREE MONTHS before you bring it to their attention on customer forums, wherein they "forward your request" and it's ultimately marked safe.

I'd check your site here just to ensure it's "safe" cause you could be losing traffic because of it:
https://safeweb.norton.com/report/show_mobile?url=YOURDOMAIN.COM

If it's not rated, submit it and wait it out cause 1 lost customer is 1 lost customer...
https://safeweb.norton.com/help/site_owners

This is gouging at its worst. I've, we've, could've been losing people clicking the back button from search because of Norton marking our sites as untrusted; people that might not've been a 10 second bounce; people that could've viewed a couple of pages, joined, or clicked an ad or two too; you should be mad too if your site is "untrusted" (I was unaware of this for 8 months). However, some people buy computer's with this "bloatware" trial software and are scared with the "your computer might be insecure browsing the web" popups on expiration, so they renew it, only to be blocked from YOUR forum.
 
It just tells me "This site has not been tested yet.". It doesn't mention anything about being unsafe. How long does it take to get tested?
 
The part I find interesting is that is says in order to have your site rated an admin' must create a Symantec account and submit a request... but 2 of 3 of my active sites are showing up as rated though I've never submitted them. 🤔
 
Kevin said:
The part I find interesting is that is says in order to have your site rated an admin' must create a Symantec account and submit a request... but 2 of 3 of my active sites are showing up as rated though I've never submitted them. 🤔
Click to expand...
It could be perhaps that you bought an SSL certificate before, whether it be the Symantec one or one of their resellers at a discounted rate. Then, it was added as safe. Aftwehich, you might've switched certificates, but it was still marked safe because it was once safe so it's assumed safe until it's hit by malware, where it might be removed from that status and you'd have to go through the process again.
 
Or, perhaps, like XF, you might be running CloudFlare or something in between that marks all sites as trusted.

I honestly don't know how Norton Safe Web decides whether a site is trusted, untrusted, and when they crawl to test sites.

Either way, for 9 months, my site has been untested and thus all people with Safe Web have been told my site is to be untrusted because it may be unsafe.
 
frm said:
It could be perhaps that you bought an SSL certificate before, whether it be the Symantec one or one of their resellers at a discounted rate. Then, it was added as safe. Aftwehich, you might've switched certificates, but it was still marked safe because it was once safe so it's assumed safe until it's hit by malware, where it might be removed from that status and you'd have to go through the process again.
Click to expand...
Hhhhm..... maybe certs from many (many, many!) years ago but in the last several years all of my certs have been purchased through the same provider and of the same type.

When you check your site, is it explicitly saying that it is rated as unsafe due to Let's Encrypt?
 
frm said:
I'm just angry that Norton is marking these sites as unsafe when they clearly aren't. You need to go through a 2-week application process with Safe Web OR purchase a RIDICULOUSLY priced $399/yr Symantec SSL cert (I've only ever paid like $10 per year maximum for mine before I heard of LetsEncrypt) for automatic trust.
Click to expand...
Why would you even purchase Symantec SSL certs when they are being untrusted in major web browsers to begin with
Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.

Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.

This will also affect certs that use Symantec as their root of trust even if they were issued by an intermediate organization. For example, certificates handed out by Thawte, GeoTrust, and RapidSSL that rely on Symantec will be hit by Google's crackdown. If in doubt, check your cert's root certificate authority to see if it's Symantec or not.

The change will come in build 66 of Chrome – due for public release on April 17 – and the problem will get even bigger on October 23 when build 70 is released and all Symantec certificates will be listed as not being trustworthy.

Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it's safe to say that it will become a very big headache very quickly for those sites that haven't obtained new HTTPS certs from other authorities.
Click to expand...
 
Masetrix said:
The same here, OK, Safe on all Sites, and all sites are on
Click to expand...
Lucky too. I've tested a few forums that I know of and they are showing up as 'untested' (thus "untrusted" too).

I mean, it's not a huge impact, but there are some users that you might lose because of this idiocracy Norton put in place. The majority of those people, of course, is closer to the computer illiterate side and rely on those types of software to feel safe about their expensive purchases (laptops, PCs, etc.). However, I'm still mad if I lose 1 person out of 1000 or even 10000 as that could be a $0.30+ CPC, or even regular visitor because they bookmarked the site.
 
eva2000 said:
Why would you even purchase Symantec SSL certs when they are being untrusted in major web browsers to begin with
Click to expand...
I know, right?! But, to pass Safe Web, you need their certificate or a manual (maybe automatic in some cases, after time and crawling) review.
 
eva2000 said:
yeah seems Symantec SSL division is desperate heh Letsencrypt is decimating all paid SSL CA vendors's domain validated SSL business and with recent Chrome 77 removing green padlock EV indicators now, EV SSL cert business will be dying too !
Click to expand...
I'm convinced that now it's a scam. LE (using your CMM nonetheless) does the same job as a $10 cert, but obviously less than a $400 "trusted" cert as you pointed out.

It's just angering to know that Safe Web is marking sites that are obviously not malicious in any manner as "unsafe" and making webmasters go through a verification process, all the while someone could pick up a "trusted" domain on expiration/drop and not have to worry about it AND pump it full of malware.

Edit: I can't say "same job" as a paid cert does come with insurance, but, if you're not processing credit cards, etc., this shouldn't be an issue for a forum (most forums use a payment processor for upgrades, which are insured).
 
yeah wonder about Norton, though sometimes it's just a coincidence if unsafe marked site is using Letsencrypt so hard to know as some malware injected into sites have conditional code to only show for specific visitors and referral paths i.e. if visitor comes from google search versus visitor direct visit to site may have different conditions to activate malware infections
 
  • Like
Reactions: frm
frm said:
but obviously less than a $400 "trusted" cert
Click to expand...

Even Extended Validation certificates which cost a lot of money and have to be cross checked against official government company records before you can get one just so you can have a nice green bar with your company name beside your URL in a browser - are effectively useless now with recent changes to browsers.

Some reading for you: https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

frm said:
Edit: I can't say "same job" as a paid cert does come with insurance
Click to expand...

I'm not sure SSL insurance or warranties are actually worth anything? https://scotthelme.co.uk/do-ssl-warranties-protect-you-as-much-as-rocks-keep-tigers-away/

Given that it's much more likely (probably several order of magnitude more likely!) that a bug in your website or the software you use to run it will be the cause of vulnerabilities rather than someone managing to crack your SSL security (even that from free LE certificates), I personally don't think that paying extra $$ for "special" SSL certificates is in any way useful.

As a general rule, you should never process credit card details on your own website anyway - let the payment gateways handle that for you.
 
  • Like
Reactions: frm
Interesting. 1 forum that i have is untested. That forum is almost 2 years old.

Another forum that I am developing and is not live yet tested out as SAFE. The domain has only been registered a few months.

Both sites use the Lets Encrypt SSL cert.
 
Sim said:
Even Extended Validation
Click to expand...
The $400 one isn't even EEV. It's a plain ole cert that allows you to display Norton's badge of trust on your site (in other words, give them a back link too).
CJ6 said:
That forum is almost 2 years old.
Click to expand...
Maybe your demographic never reported it as they aren't foolish enough to use antvirus bloatware? Either way, you might rank for a certain keyword and lose 1 visitor because of that; just a hypothetical that should make anyone mad.
 
You must log in or register to reply here.
Top Bottom