Google Loses Trust in Symantec Certificates – Update
Google has strongly criticized Symantec Corporation’s conduct in issuing certificates. The company will reduce Chrome’s trust in old Symantec SSL certificates and shorten the validity period of new ones.
Since January 19, Google has been investigating problems with the issuance of certificates by Symantec. Initially, the investigation involved 127 certificates, but statements from Symantec have expanded that number to at least 30,000 certificates.
Symantec has violated the principles enshrined in Chrome’s Root Certificate policy, exposing Chrome users to risk, Google claims. Access to Symantec’s certificate infrastructure by four of the company’s partners is said to have led to issuance issues, and the security company’s oversight was also said to have been inadequate. In addition, the company is said to have reacted lax to evidence of the problems.
In response, Google is going to phase out Chrome’s trust in the certificates. Chrome 59 still considers Symantec certificates 33 months old as valid, with version 62, for example, that is only 15 months, while the latest version, Chrome 64, has a validity period of 9 months. The maximum period for validity of all newly issued Symantec certificates has been set at 9 months. The measure means that many certificates have to be revalidated and replaced.
To immediately cancel the trust with all browser versions, Google considered a step too far. In January 2015, 30 percent of all valid certificates came from Symantec. That percentage will have fallen by now, according to Google, but canceling the trust immediately would cause many compatibility problems. Indeed, the percentage now seems to be around 15 percent.
The reason for the investigation was the withdrawal of wrongly issued certificates by Symantec in January. According to the company, the cause was one of its “trusted partners”, who thus had access to Symantec’s infrastructure.
Update 18.00: Google is also removing the extended validation status issued by Symantec certificate authorities. This status causes browsers to prominently display that the owner of a domain is verified. Chrome will therefore no longer display this extra warranty. Symantec has now responded about Google’s steps. Ars Technica publishes this. The security company claims it was not informed about the decisions: “We only became aware of Google’s proposals when it posted them on its blog. The announcement was unexpected and the proposed decisions are irresponsible. Our SSL/TLS certificate customers should know that this requires no action from them at this time.”