Governance & Risk Management , Risk Assessments
Google Outlines Plan to Reject Symantec's Digital CertificatesSymantec Protests, Contesting Google's Claims
Google has run out of patience with Symantec's digital certificate business. It has outlined a plan that over time will have its Chrome browser reject all of Symantec's existing digital certificates.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The web giant alleges Symantec has issued thousands of digital certificates without proper verification, undermining the safety of its users.
Google says that an investigation it launched on Jan. 19 has turned up findings that have caused "us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," writes Ryan Sleevi, a Google staff software engineer.
The move holds vast and possibly costly implications for Symantec, as well as those who have bought certificates from the company. It means either new certificates would have to be purchased from other suppliers, or Symantec would have to issue replacements.
It's a big deal for organizations and businesses because of the security implications. Digital certificates, also referred to as Secure Sockets Layer/Transport Layer Security certificates, are a cornerstone of internet security. They're used to encrypt data traffic and also to verify the owner or operator of a domain name.
Symantec has grown its digital certificate business through acquisitions of VeriSign, Thawte and Equifax, among others. Two years ago, Symantec had issued 30 percent of SSL certificates by volume worldwide, according to Google.
Symantec is contesting Google's claims. In a short blog post on March 24, Symantec says that Google's public statement was "unexpected" and "irresponsible."
"Google's statements about our issuance practices and the scope of our past misissuances are exaggerated and misleading," it says.
Mozilla, which develops the Firefox browser, is mulling whether it should go the same route as Google. Gervase Markham, a Mozilla policy engineer, writes that Symantec's issues aren't as flagrant as other companies, but still are concerning.
"Google's plan is, in my personal opinion, at the 'strong' end of the options I was considering," Markham writes.
No More Trust
Certificate Authorities, or CAs, issue digital certificates. CA certificates are "trusted" by web browsers, with successfully encrypted connections indicated by a green padlock or "https" in the URL window.
Some CAs have lost their trusted status due to abuses of their systems or lax security practices. Hackers have often tried to obtain digital certificates for domains they do not own. If an unauthorized certificate is obtained, it would be possible to intercept and decrypt traffic destined for a major web service as part of a man-in-the-middle attack.
With its vast technical resources, Google has been able to react quickly when problems occur. For example, it revoked trust in its Chrome browser for certificates issued by TURKTRUST and DigiNotar - CAs much smaller than Symantec - that experienced security breaches.
But in September 2016, Google found that Symantec's Thawte-based CA issued non-authorized certificates for www.google.com and google.com.
Around that time, a Symantec audit revealed 164 certificates for 76 domains had been erroneously issued as well as 2,458 certificates for domains that had not been registered. In October 2016, Google contended that despite Symantec's audit, the company didn't catch other questionable certificates.
Google then required that certificates issued by Symantec would have to support Certificate Transparency, an open-source project that logs new certificate in an effort for better public scrutiny.
Google says that its latest investigation has uncovered more than 30,000 certificates erroneously issued by Symantec. Symantec, however, contends that it only issued 127 such certificates.
One problem appears to stem from access Symantec has granted to other partners to its certificate infrastructure, under a designation called Registration Authority. Google alleges Symantec that failed to oversee the actions of four parties that had sensitive access to its network.
Symantec says that it has now suspended an offending partner as well the program.
"This control enhancement is an important move that other public certificate authorities have not yet followed," it says.
Too Little, Too Late?
Symantec stresses that it follows industry security standards, but its reassurances may be coming too late.
Because invalidating all certificates that fall under Symantec's purview at once would be too disruptive to those running websites and services, Google is planning a phased rejection of all of the company's certificates.
Starting with Chrome version 59, the browser will begin rejecting certificates with validity periods that exceed Google's maximum allowed, Sleevi writes. As of March 27, Chrome version 59 had been released to developers but not yet made public.
New Symantec certificates will have to comply with the CA/Browser Forum's Baseline Requirements - a lengthy document of requirements that CAs should follow. In addition, to limit the risks of "further misissuance," starting with Chrome version 64, newer certificates issued by Symantec will not be trusted for more than 279 days after being issued, Sleevi writes, saying that at that point they will need to be reissued.
Google's plan is likely to create a lot of headaches. Sleevi acknowledges that distrusting a CA is disruptive, particularly for those organizations using certificates for older devices.
"On the other hand, all site operators expect that certificates will only be issued for their domains upon their request, and the failure to have that assurance significantly undermines the security of HTTPS for both site operators and users," he writes.