Google Questions Symantec’s Commitment to Trust Chain for Internet Users—Refuses to Recognize Validation Status Certificates

September 29, 2017

In March, Google launched the latest salvo of their public feud with Symantec over risk management of HTTPS credentials. Google Chrome developers announced plans to stop recognizing all extended validation status certificates issued by Symantec-owned Certificate Authorities (CA). This mass nullification will be in effect for a minimum of one (1) calendar year.

The first phase is to stop recognition of the extended validation status. Extended validation certificates provide assurances of a site’s authenticity and security. To put this into perspective, it is estimated that Symantec-owned CAs provide anywhere from 30-42% of all certificates across the web.

Between now and the end of the summer, Google intends to roll out updates for Chrome that will nullify the currently valid certificates issued by Symantec-owned CAs. Symantec fired back that the issue is massively overstated; as opposed to the 30,000 SSL/TLS certificates that Google cited, only 127 of them were identified as incorrectly issued. Google retorted that Symantec has continually failed to move in the timely manner warranted by these vulnerabilities, and that it took over a month for Symantec to fully disclose the extent of the issue. If, after a year, Google remains unsatisfied with Symantec’s solution to the issue they may stop trusting Symantec-issued certificates altogether – both standard and extended validation certs and thus hamper access to websites for Google Chrome users.

More information can be found on ARS Technica at:

https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/

-Contributed by Michael Lake, Policy Analyst at DHS

Top