Google is threatening to stop trusting some Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates issued by Symantec inside of the Chrome web browser. Google alleges that Symantec has failed to properly validate issued certificates, a claim with which Symantec strongly disagrees.
“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates,” Ryan Sleevi, staff software engineer at Google, wrote. “Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team.”
Google’s initial investigation looked at 127 certificates that may have been misissued, but the list has now expanded to include at least 30,000 certificates issued over a period of several years, according to Sleevi. In October 2015, Google also publicly admonished Symantec over certificates issuance practices.
Google is set to take several actions against Symantec, including reducing the validity period of newly issued certificates to only nine months or fewer, as well as removing recognition for Symantec’s Extended Validation (EV) certificates. In addition, Google plans on beginning what Sleevi refers to as “an incremental distrust” of Symantec-issued certificates, whereby all current such certificates will be distrusted over a period of time, requiring them to be revalidated and replaced.
For its part, Symantec disagrees with Google’s position. In a blog post of its own, Symantec argued that Google’s claims are “irresponsible” as well as being both exaggerated and misleading.
“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs,” Symantec stated.
Security experts contacted by eWEEK had a positive view of Google’s position on the issue of certificate integrity. Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, holds the view that Google is right, given that SSL/TLS certificates are the basis of trust and privacy on the internet.
Google revoking trust in Symantec certificates, however, could have a large impact on the internet as a whole. Bocek said that businesses of all sizes are going to struggle to find and replace Symantec certificates quickly.
“Even more importantly, Google is proposing that Extended Validation certificates issued by Symantec should no longer be trusted,” Bocek told eWEEK. “Extended Validation certificates are used by banks, retailers, insurers and governments to convey the highest level of trust. “
Bocek added that the impact on the organizations that use Symantec’s EV certificates could be large, especially since the largest organizations with significant security investments typically aren’t agile enough to find and replace certificates before it impacts their businesses.
Scott Petry, CEO of Authentic8, also believes Google is right in raising this issue.
“There has been a history of cert-related sloppiness with this vendor in the past, and the stakes for a faulty cert in today’s surveillance state are pretty significant,” Petry told eWEEK. “The first steps aren’t heavy handed, but they do send a strong signal.”
David Coxe, CEO of ID Dataweb, agreed that Google’s actions are not too heavy-handed. The most draconian action Google could evoke is to simply revoke Symantec from the root trust store in the Chrome browser, he said.
“However, they are taking a moderating approach to gradually phase out older certificates,” Coxe told eWEEK. “This will cause sites who today appear to be valid to no longer be valid in a user session, and that will likely cause the owners of those sites to buy new SSL certs from a trusted provider. “
Regardless of the end result, Google’s move is likely to serve as a wake-up call for businesses, according to Bocek. In his view, most organizations don’t have the agility required to move, add or change certificates, keys or CAs in response to external issues like this one.
Petry is optimistic that Google and Symantec will work things out over the trust of SSL/TLS certificates issued by Symantec. He’s also hopeful that the dispute will help to further educate the market about SSL/TLS certificates. Most internet users act in a somewhat bipolar manner when it comes to web security, he said. If the SSL/TLS certificate for a given website fails, half or more of users will click anyway, while the other half will feel secure if the padlock icon is green.
“SSL certs fill a specific need in the ecosystem, but they’re not a panacea,” Petry said. “They are in place to establish a level of integrity of the connection between the browser and the host, not the overall validity of the site, the content or protection of data.”