Google will no longer trust one of Symantec's root certificates on Chrome and Android platforms, a Google software engineer said in a blog post.
Earlier this month, Symantec said it would continue to use its VeriSign PCA3-G1 certificate, but discontinued use of the root for public TLS/SSL certificates and code signing certificates and asked browsers to remove trust for the certificate.
Google engineer Ryan Sleevi wrote that Symantec's failure to comply with CA/Browser Forum's baseline requirements “represents an unacceptable risk to users of Google products.”
Adam Ely, co-founder and CSO of the mobile app security company Bluebox, told SCMagazine.com that it would be easier for enterprise users to create threat models for the certificates if Symantec had disclosed how they plan to use PCA3-G1 certificates. He said, “Where else are these certificates bundled, other than first-tier browsers?” For example, Ely noted that the certificates may be bundled as a set of trusted certificates within second- or third-tier enterprise applications.
SCMagazine.com obtained a statement from Symantec that noted, “In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1). We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn't been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers' legacy, non-public applications. By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.”
SSL certificates have faced security challenges in the past several months. Price competition between certificate authorities has pushed down the cost of certificates and led to less thorough verification process, making it easier for Internet scammers to create fake SSL certificates for banking and other websites.
Symantec has faced especially harsh criticism for certificate issues. In September, after Google discovered a fake Google SSL certificate, Symantec fired staff members for issuing the fake certificates.
In October, Google scolded Symantec for its lax practices issuing certificates, and announced that more “questionable certificates” were found. Symantec responded with an audit of its internal practices, and discovered 2,458 certificates issued for domains that weren't registered. At the time, Google also asked Symantec to provide “a detailed set of steps they will take to correct and prevent each of the identified failures”.
Symantec corporate communications senior manager Noah Edwardsen told SCmagazine.com that this audit is still ongoing.
Ely at Bluebox said the potential for the certificates to be used by malicious users for nefarious purposes is a disturbing prospect.
Michael Klieman, Symantec senior director of product management, said Symantec will use the certificates for enterprise customers that are issuing internally-facing certificates. Klieman said the use of the certificates for this purpose would have “zero impact on any other use case, including the browsers.”
Google declined to comment on this article.