Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Google to Remove Symantec Root Certificate From Products

[Update] Google announced on Friday that it will remove a Symantec root certificate from Chrome, Android and other products over the coming weeks in an effort to protect its customers.

[Update] Google announced on Friday that it will remove a Symantec root certificate from Chrome, Android and other products over the coming weeks in an effort to protect its customers.

Symantec announced on Dec. 1 that it had discontinued the VeriSign G1 root certificate (Class 3 Public Primary CA), which had been used to issue public code signing and TLS/SSL certificates.

According to Google software engineer Ryan Sleevi, since this root will no longer comply with CA/Browser Forum Baseline Requirements, the search giant cannot ensure that the certificate or the certificates issued with it are not abused to intercept or impersonate secure communications.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products,” explained Sleevi.

Symantec told Google that it plans on using the root certificate for other purposes, but it has not specified its new functions.

“As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate,” Sleevi explained in a blog post. “This step is necessary because this root certificate is widely trusted on platforms such as Android, Windows, and versions of OS X prior to OS X 10.11, and thus certificates Symantec issues under this root certificate would otherwise be treated as trustworthy.”

While Google’s blog post seems alarmist, Symantec has pointed out in its advisory that the discontinuation and its timing are in line with industry best practices based on CA/Browser Forum Baseline Requirements. The security firm has informed customers that browsers may remove support for certificates issued with the discontinued root certificate, which will result in browser errors.

However, the company told Google it does not believe its customers will be affected by the removal of the certificate.

“It is important to replace such a certificate with one that chains up to a more modern root. Symantec offers free replacements in each of our certificate management consoles,” Symantec said.

Google told Symantec in October to step up its game to avoid certificate-related problems in Chrome and other products. The warning came after Symantec discovered nearly 200 inappropriately issued certificates for existing domains, and more than 2,400 certificates for unregistered domains.

Symantec argued that the certificates were only used for testing purposes and they posed no risk to users. However, Google instructed the security firm to take steps to prevent such incidents in the future, and starting with June 1, 2016 it will require the company to support Certificate Transparency for all certificates.

[Update] “In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1),” a Symantec spokesperson told SecurtyWeek in a statement emailed Dec. 15. “We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications. By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.”

Related Reading: Google Finds Unauthorized Certificates Issued by Intermediate CA

*Updated with statement from Symantec

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...