Security Experts:

Google to Remove Symantec Root Certificate From Products

[Update] Google announced on Friday that it will remove a Symantec root certificate from Chrome, Android and other products over the coming weeks in an effort to protect its customers.

Symantec announced on Dec. 1 that it had discontinued the VeriSign G1 root certificate (Class 3 Public Primary CA), which had been used to issue public code signing and TLS/SSL certificates.

According to Google software engineer Ryan Sleevi, since this root will no longer comply with CA/Browser Forum Baseline Requirements, the search giant cannot ensure that the certificate or the certificates issued with it are not abused to intercept or impersonate secure communications.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products,” explained Sleevi.

Symantec told Google that it plans on using the root certificate for other purposes, but it has not specified its new functions.

“As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate,” Sleevi explained in a blog post. “This step is necessary because this root certificate is widely trusted on platforms such as Android, Windows, and versions of OS X prior to OS X 10.11, and thus certificates Symantec issues under this root certificate would otherwise be treated as trustworthy.”

While Google’s blog post seems alarmist, Symantec has pointed out in its advisory that the discontinuation and its timing are in line with industry best practices based on CA/Browser Forum Baseline Requirements. The security firm has informed customers that browsers may remove support for certificates issued with the discontinued root certificate, which will result in browser errors.

However, the company told Google it does not believe its customers will be affected by the removal of the certificate.

“It is important to replace such a certificate with one that chains up to a more modern root. Symantec offers free replacements in each of our certificate management consoles,” Symantec said.

Google told Symantec in October to step up its game to avoid certificate-related problems in Chrome and other products. The warning came after Symantec discovered nearly 200 inappropriately issued certificates for existing domains, and more than 2,400 certificates for unregistered domains.

Symantec argued that the certificates were only used for testing purposes and they posed no risk to users. However, Google instructed the security firm to take steps to prevent such incidents in the future, and starting with June 1, 2016 it will require the company to support Certificate Transparency for all certificates.

[Update] “In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1)," a Symantec spokesperson told SecurtyWeek in a statement emailed Dec. 15. "We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications. By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.”

Related Reading: Google Finds Unauthorized Certificates Issued by Intermediate CA

*Updated with statement from Symantec

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.