Network Security, Vulnerability Management

Google proposes revoking Symantec certs

Google no longer has confidence in Symantec's issuance of certifications

In a dramatic criticism of one of the biggest suppliers of HTTPS credentials, Google Chrome developers said they would be restricting transport layer security certificates sold by Symantec-owned issuers effective immediately. The reason: "a continually increasing scope of misissuance," said a statement from Ryan Sleevi, a staff software engineer at Google, writing in a Google forum.

The issue lies in the rapidly expanding number of certificates (30,000) issued over several years, coupled with "a series of failures following the previous set of misissued certificates from Symantec."

Sleevi wrote that Chrome will cease recognition of the extended validation status of all certs issued by Symantec-owned certificate authorities. These certs designate enhanced security for a site by displaying the name of the validated domain name holder within the address bar. Chrome will no longer populate that data for at least a year, Sleevi said.

"Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them," he explained. "This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs."

Symantec has failed to uphold these principles, he added, resulting in "significant risk" for users of Google's web browser, Chrome.

"Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi wrote.

"We no longer have the confidence necessary in order to grant Symantec-issued certificates the 'Extended Validation' status," Sleevi concluded.

The move will certainly have an impact as Symantec certs, as measured in 2015, comprise more than 30 percent of the internet's valid certificates. Potentially, Chrome users will no longer be able to access a vast range of sites.

For its part, Symantec issued a statement on Friday "strongly" objecting to Google's move, saying the action was unexpected and calling the claims in the blog post irresponsible.

"Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading," the statement read. "For example, Google's claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm."

Symantec claimed it took remediation measures to fix this particular problem and terminated the partner's designation as a registration authority (RA). 

"While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google's blog post involved several CAs," the Symantec statement said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.