The Schwartz Report

Blog archive

Google To Distrust 30k HTTPS Certs in Chrome Issued by Symantec

Google has accused Symantec of improperly issuing 30,000 Extended Validation (EV) certificates and will immediately start distrusting them in its widely used Chrome browser.

The move, a stinging indictment against the giant Certificate Authority (CA) and security provider, means SSL/TLS-based certs issued by Symantec will be invalidated. Users who visit affected HTTPS Web sites will receive warnings that a site's cert isn't valid but will still have access if they choose to ignore the warning. It could force Web site operators to move to other CAs. Symantec is disputingGoogle's charge that the certs were improperly validated.

An investigation by the Google Chrome team initiated on Jan. 17 initially centered around just 127 certificates. But the company now has found more than 30,000 certificates issued over a period of several years that don't fully meet Chrome's Root Certificate Policy. Ryan Sleevi, a software engineer on the Google Chrome team, announced the move yesterday in a newsgroup post.

"The Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates," Sleevi noted. "Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years."

As of two years ago, certificates issued by Symantec accounted for more than 30 percent of the valid certificates based on volume, according to Sleevi. A Root Certificate Policy requires all CAs to ensure that they validate domain controls, audit logs for signs of unauthorized issuance of certs and protect their infrastructures to avoid the ability to issue fraudulent certs. Symantec has failed to meet those requirements, Sleevi stated.

"On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users," said Sleevi. "Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them."

Despite the ongoing investigation, Symantec was surprised by Google's move. In a statement sent via e-mail by a Symantec spokesman, the company disputed Sleevi's accusations. "We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates."

For now, Sleevi noted Google is taking the following steps:

  • Newly issued Symantec certificates will only be valid for nine months or less, to reduce any impact to Google Chrome users of potential future certs that aren't issued properly.
  • All Symantec-issued certs covering different Chrome releases must be revalidated and replaced.
  • The Extended Validation status of Symantec issued certificates must be removed for at least one year but cannot be reinstated until it meets Google's guidelines.

Symantec argued the certs in question caused no harm against Web site visitors and believes Google is singling it out. Google's criticism of Symantec's certificate issuance policies is "exaggerated and misleading," according to its statement, which noted that it discontinued its third-party registration authority program to reduce any concerns regarding trust regarding its SSL/TLS certs.

"This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed," according to Symantec. "While all major CAs have experienced SSL/TLS certificate misissuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the misissuance event identified in Google's blog post involved several CAs."

Will the two companies iron out their differences? Symantec insists it maintains extensive controls over how it issues SSL/TLS certs and hopes to discuss the matter further with Google in hopes of resolving this dispute.

Posted by Jeffrey Schwartz on 03/24/2017 at 12:26 PM


comments powered by Disqus

Subscribe on YouTube