Google Busts Symantec-Issued Certificates and Its a Big Mess

Google said it would begin withdrawing trust from web sites with certificates issued by Symantec Corp.

In-brief: Google’s rebuke of Symantec over its sloppy and problem-plagued certificate authority business risks upsetting some of the Internet’s biggest brands. 

Security vendor Symantec faced a public rebuke from Google on Thursday over how it issues digital identity certificates. The dust up could greatly complicate the lives of developers and website owners across the world, including some of the Internet’s biggest brands.

In a post on an online forum frequented by developers for its Blink rendering engine, a key component of the Chromium operating system, Google engineer Ryan Sleevi said that the company has lost confidence in the “certificate issuance policies and practices of Symantec” in recent years and is planning to shorten the period of time that Symantec issued certificates will be considered valid, while removing recognition of Extended Validation (EV) certificates issued by Symantec and Symantec owned certificate authorities.

The decision follows a months-long investigation by Google into Symantec’s certificate issuance and validation processes, following incidents in which the company was found to have improperly issued certificates. In January, for example, independent research by the researcher Andrew Ayer exposed 108 improperly issued certificates by Symantec-owned Certificate Authorities (CAs).

Google’s investigation revealed that those were a small piece of a much, much larger problem at Symantec. In all, the company says it has identified “at least 30,000” certificates issued over a period spanning several years that were improperly issued or validated.

“Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of mis-issuance with each set of questions from members of the Google Chrome team,” Sleevi wrote. That, coupled with “a series of failures following the previous set of mis-issued certificates from Symantec” has resulted in Google losing confidence in Symantec -owned CAs.

In addition to the shorter lifespan for Symantec issued certificates and the end of trust in Extended incremental distrust, Google plans to “deprecate” trust in all currently-trusted Symantec-issued certificates spanning a series of Google Chrome releases.Google said it will gradually decrease the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum. That will require  the certificates to be revalidated and replaced. Sites or applications that do not use trusted certificates generate browser warnings that scare away users and web site visitors.

Google’s Chrome team said that Symantec has not upheld its responsibilities as a root certificate authority, forcing its hand.

“Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them…On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users.”

Among the company’s sins: allowing “at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” Sleevi wrote.

In short: Symantec trusted third parties to validate the information requested of domain owners, realized that at least some of those trusted third parties were not following best practices, but continued to work with them anyway. The 30,000 domains figure is the sum total of certificates issued through those partners, Google’s Slevi indicated.

The change in trust will affect certificates issued by Symantec as well as Symantec-owned brands like GeoTrust and Thawte. According to Google’s statistics, Symantec-issued certificates represented more than 30% of the valid certificates by volume as of mid-2015.

The post has elicited both messages of support and howls of pain from web site owners.

“LEAVE THE INNOCENT BYSTANDERS ALONE!!!!” read one post in the blink-dev group discussion, which argued that Google was using collective punishment in the place of more targeted actions aimed at a few thousand offending domains. “Be responsible with the power you have, and mindful of the massive collateral damage your actions cause! ***WE*** SUFFER when *you* attack CAs… so STOP IT!!!”

In October, Google announced that it was distrusting the Certificate Authorities WoSign and StartCom over similar issues related to certificate issuance, following similar actions by Apple and Mozilla.

But the action against a premiere CA like Symantec is bound to have much broader implications. The company and its various CAs vouch for the identity of some of the Internet’s biggest sites, including Paypal.com, Microsoft.com and Yahoo.com.  Google’s decision to stop accepting extended validation certificates from Symantec for a period of “no less than a year” will force those sites, and tens of thousands of others to find another provider to vouch for their identity – a move that is bound to cause disruption.

Spread the word!

Comments are closed.