Google’s Chrome browser, Android OS and other products will soon stop trusting digital certificates issued from a particular Symantec root certificate because of security concerns.
That means that Chrome and Android users who visit Websites that use certificates linked to the banned root will receive an alert informing them the site’s security certificate cannot be relied upon for authentication or encryption purposes.
In a blog post Dec. 11, Google software engineer Ryan Sleevi said the company’s decision stemmed from a Symantec notification earlier this month that it was discontinuing the use of the root certificate in question for public code signing and encryption certificates.
In its note, Symantec said its decision is consistent with industry best practices that it has asked browser companies to remove trust for certificates issued from Verisign G1 root certificates. Those using these browsers will start getting error messages when they encounter an encryption or code-signing certificate that is linked to the Verisign G1 roots, the company said
“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” Sleevi said, referring to standards that a certificate authority needs to meet for using digital certificates. “As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”
In an emailed statement, a Symantec spokeswoman said the company asked browser vendors to remove or distrust the Verisign root certificate because it is based on lower-strength security. The company said the legacy certificate “hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications,” the statement said.
“By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.”
According to Google’s Sleevi, Symantec has not disclosed the purposes for which it will continue to use the root certificates—issued back in 1996. Instead, it has asked Google to remove and distrust the root certificate.
Sleevi described the certificate as being widely trusted on Windows, Android and certain versions of OS X.
“Google is no longer able to ensure that the root certificate, or certificates issued from this root certificate, will not be used to intercept, disrupt, or impersonate the secure communication of Google’s products or users,” Sleevi said.
Google has twice previously aired its concerns publicly over the security of Symantec’s digital certificate-issuing process. In September, the company said that it had discovered a Symantec-issued Extended Validation “pre-certificate” for two Google domains that it had neither asked for nor authorized. At that time, Symantec had explained the issuance as a miscue that happened during an internal testing process, Google had said.
In a follow-up blog in October, Google said it had discovered many more questionable certificates issued by Symantec, involving Google domains and that of others. In response, Symantec conducted an audit and disclosed that it had issued some 164 certificates for 76 domains that had not requested or authorized the certificates. It found another 2,458 certificates for domains that were not even registered.
Websites use digital certificates to authenticate themselves to browsers and to encrypt communications between the browser and the Website. They are designed to ensure that a site is indeed what it purports to be. A compromised, or wrongly issued, certificate can be used to hijack traffic to a Website, or to impersonate a legitimate site.
Certificate Authorities (CAs) like Symantec are responsible for issuing the certificates in a secure manner and maintain lists of certificates that are compromised. But in the past, security researchers have found problems in the processes surrounding the use and revocation of digital certificates.
Recently, researchers at Akamai Technologies and several academic institutions reviewed how major Internet browsers use certificate revocation lists and found big gaps in the way browser companies handle such lists and also how CAs distribute the lists to them.