Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Google Stops Trusting Symantec-Issued Certificates

Google is displeased with the fact that Symantec has failed to ensure that its partners don’t improperly issue digital certificates, which is why the tech giant has announced its intent to gradually stop trusting all of the company’s existing certificates in Chrome.

Google is displeased with the fact that Symantec has failed to ensure that its partners don’t improperly issue digital certificates, which is why the tech giant has announced its intent to gradually stop trusting all of the company’s existing certificates in Chrome.

Symantec, and particularly some of its subsidiaries and WebTrust audited partners, have been caught by Google and others wrongly issuing certificates. In 2015, Google told Symantec to step up its game after a subsidiary certificate authority (CA) issued unauthorized google.com certificates.

More recently, Symantec’s GeoTrust and Thawte were found to have wrongly issued more than 100 certificates, including for domains such as test.com and example.com.

According to Google software engineer Ryan Sleevi, an investigation revealed that Symantec’s partners misissued at least 30,000 certificates in the past years. These certificates were issued by four organizations: CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.

Symantec has authorized these companies to perform validation for certificate information, but failed to properly audit them, and according to the Baseline Requirements, the cybersecurity giant is liable for any issues. Another problem is that there is no way to distinguish certificates validated by Symantec from certificates validated by the company’s partners, Sleevi said.

“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” Sleevi explained. “The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”

As a result of Symantec’s failings, Google wants to remove the recognition of Extended Validation status for certificates issued by the company, and reduce the accepted validity period for newly issued certificates to nine months or less. Under the current proposal, all existing certificates will gradually become untrusted.

Since Symantec-issued certificates account for a significant percentage of the total, Google wants the certificates to be replaced gradually in order to avoid disruptions for websites and their visitors.

Advertisement. Scroll to continue reading.

Starting with Chrome 59, the maximum age of Symantec-issued certificates will be decreased to 33 months and by Chrome 64 it will be reduced to 9 months.

Symantec said it strongly objects to Google’s decision, and called the action unexpected and the announcement irresponsible. The company said it hopes Google did not intend to create uncertainty and doubt within the community about its SSL/TLS certificates. Symantec’s statement reads: 

Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.

 

While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.

 

We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet. Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers. Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

 

We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates. Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.

 

We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

Related: Mozilla Allows Symantec to Issue SHA-1 Certificates to Payment Processor

Related: Google Launches Its Own Root Certificate Authority

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...