Google ditches Symantec over sloppy certs

Google Chrome developers have announced that they will limit the transport layer security certificates sold by Symantec-owned issuers with an immediate effect.

The announcement from Google Chrome base came after the Symantec was found to have bad certificate-issuance practices. One of the biggest suppliers of HTTPS credentials has allegedly mis-issued over 30,000 certificates.

Ryan Sleevi, a staff software engineer at Google posted “ Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years” .

Also, Sleevi wrote that Chrome will stop acknowledging the extended validation status of all certs issued by Symantec-owned certificate authorities. All these certs were used to display the name of the validated domain name holder within the address bar- a feature which enhances the security. He also assured that Chrome will not support that data for at least a year.

" Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them," Sleevi explained. " This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs."

He claimed that Symantec did not adhere to these principles, and it may pose a " significant risk" for users of Google’ s Chrome

" Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi added on his post.

And, Sleevi concluded his post by stating that, Team Google Chrome’ s confidence on Symantec has diminished, and will not grant Symantec-issued certificates the ' Extended Validation' status.

The move from Chrome will have a big impact as Symantec certs accounts for more than 30 percent of the internet' s valid certificates. Potentially, Chrome users will no longer be able to access a vast range of sites.

Symantec, on its part, addressed the issue by strongly objecting the move from Google. It released a statement on Friday stating that

For its part, Symantec issued a statement on Friday " strongly" objecting to Google' s move, saying the action was unexpected and dissed the claims made by Google Chrome on its blog as irresponsible.

" Google' s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading," the statement read. " For example, Google' s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates &ndash not 30,000 &ndash were identified as miss-issued, and they resulted in no consumer harm."

Symantec stated that it has taken measures to fix this particular problem and terminated the partner' s designation as a registration authority (RA).

Tag : google chrome
Comment
nytfoodle
Feb 23 2023
The forum content that you shared with me has provided me with a significant amount of knowledge that is useful. I really hope you'll start posting updates more frequently.
Add a comment
FAQ
Q
Will all existing Symantec website links still work after the close?
A
Yes, but some links may change in the near future. Website tool addresses and credentials will remain the same immediately after the close and for the foreseeable future. Revocation information links included in a certificate will likely transfer shorter after the close. Most customers should not be impacted by this link migration. DigiCert will give prior notice on any website links being deprecated after the close.
Q
Will Symantec certificates remain valid until their expiration dates?
A
It depends. Browsers announced a deprecation timeline that begins in March of 2018. Customers with certificates issued prior to June 2016 need to replace existing certificates before then. All customers will need to transfer to the new roots by September 2018. DigiCert will begin contacting customers immediately after the close to assist with the migration. All existing certificates impacted by the distrust dates will receive replacement certificates for the remaining validity period at no cost to them.
Q
Will the validation process change after the close?
A
Yes. DigiCert is known for its robust validation process, which means customers may experience faster verification times. Although all Symantec workflows may be supported initially, we plan to implement changes as necessary to support existing needs.
Q
6. Will the Root structure change after the close?
A
Yes, but not immediately. DigiCert plans to create new roots that are cross-signed by the existing Symantec roots. These new roots will be embedded in browsers, providing a seamless transition for most customers. Customers with pinned intermediates or roots should contact DigICert immediately following the close for assistance.
Q
What platform can I use to administer/manage my certificates?
A
Symantec customers can continue using their existing management tools for Symantec certificates. The move to an innovative, next-generation platform is anticipated to begin in 2018 and will likely require an API update to move to the new servicing URL at that time. DigiCert will communicate changes as they arise and will work to ensure that any changes are seamless to your operations.