Google has lost confidence in Symantec certificates



    The developers of the Google Chrome browser have announced a plan to phase out trust and re-issuance of old Symantec SSL certificates, cancellation of EV status, as well as reducing the validity of future certificates to ≤9 months. This is the result of an investigation into incidents with certificates that were issued without the permission of the owners, and current practices in the company.

    The Google investigation lasted two months from January to March 2017. The longer it lasted, the more questions arose for Symantec and revealed violations in the issuance of certificates. The history of 2015 , when Symantec arbitrarily issued a certificate for the domains of Google, Opera and several other organizations, has not yet been erased .

    Then Symantec explained its actions as follows: “A small number of test certificates were incorrectly issued for internal use during testing. All of these test certificates and keys were under our control all the time and were immediately revoked when we learned about the problem. There was no impact on any domains and no danger to the Internet. ” Employees who violated the policies and committed the incident were fired.

    However, the audit revealed 187 certificates for existing domains issued without the knowledge of the owners, and 2458 certificates for non-existent domains.

    After that incident, it became clear that Symantec was very bad at security. Google demanded that it take a number of measures, including supporting all new certificates with the Certificate Transparency framework , conducting an additional audit, publishing an incident report, and engaging independent auditors.

    A little over a year has passed since the last incident - and now Google has again returned to the guilty Symantec certification authority to verify its compliance with the Root Certificate Policy in the Chrome browser.

    From the very beginning, it became clear that things at the company had not improved much. At the beginning of the investigation, an initial set of 127 certificates was considered, but in the light of the revealed violations, it was expanded to 30,000 pieces issued over several years.

    Google formulated the results of the investigation as follows: “We no longer have confidence in the rules and practices for issuing Symantec certificates over the past few years. To restore the confidence and safety of our users, we offer the following steps:

    • Reduce the recognized validity period of newly issued Symantec certificates to nine months or less to minimize any impact on Google Chrome users from any further incorrect issuance that may occur.
    • A gradual denial of trust covering several editions of Google Chrome to all previously issued Symantec certificates requiring re-confirmation and replacement.
    • Refusal to accept EV (Extended Validation) status for certificates issued by Symantec until the community is confident in the rules and practices of Symantec, but not earlier than after 1 year. "

    The gradual reduction in the recognized validity period of newly issued Symantec certificates is proposed to be implemented as follows:

    • Chrome 59 (Dev, Beta, Stable): 33 months (1023 days)
    • Chrome 60 (Dev, Beta, Stable): 27 months (837 days)
    • Chrome 61 (Dev, Beta, Stable): 21 months (651 days)
    • Chrome 62 (Dev, Beta, Stable): 15 months (465 days)
    • Chrome 63 (Dev, Beta): 9 months (279 days)
    • Chrome 63 (Stable): 15 months (465 days) - this version comes out during the Christmas holidays, when many companies have a weekend
    • Chrome 64 (Dev, Beta, Stable): 9 months (279 days)

    According to Google, these measures “will ensure that the level of guarantee of Symantec certificates meets the expectations of Google Chrome and the ecosystem, and that risks from past and possible future violations are minimized as much as possible."

    You need to understand that Symantec is one of the largest certificate authorities on the Internet. So, in January 2015, more than 30% of all certificates on the Web were issued precisely by these centers. True, there have been significant changes since then. Now the leader is Comodo with 42.7%, while Symantec 's share has dropped to 15.4% .

    References:
    Symantec Root Certificates

    Also popular now: