Google may distrust third of Web SSL certs in Symantec spat
27 March 2017 | 0
Google is considering a harsh punishment for repeated incidents in which Symantec or its certificate resellers improperly issued SSL certificates. A proposed plan is to force the company to replace all of its customers’ certificates and to stop recognising the extended validation (EV) status of those that have it.
According to a Netcraft survey from 2015, Symantec is responsible for about one in every three SSL certificates used on the web, making it the largest commercial certificate issuer in the world. As a result of acquisitions over the years the company now controls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.
SSL/TLS certificates are used to encrypt the connections between browsers and HTTPS-enabled websites and also to verify that users are actually visiting the web sites they intended to and not spoofed versions. These certificates are issued by organisations known as certificate authorities that are trusted by default in browsers and operating systems.
The process of issuing and managing certificates is governed by rules created by the CA/Browser Forum, an organisation whose members include browser vendors and certificate authorities. When those rules are violated, browser and OS vendors can revoke trust in the offending certificates and sanction the responsible certificate authorities, going as far as kicking them out of their root certificate stores.
Google says that an investigation into a recent incident indicates that Symantec has not upheld security practices expected of certificate authorities, such as validating domain control, auditing logs for evidence of unauthorised issuance, and minimising the ability for the issuance of fraudulent certificates.
If Google’s plan is put into practice, millions of existing Symantec certificates will become untrusted over the next 12 months in Google Chrome. This will be a gradual process where every new Chrome release will distrust a new batch of certificates starting with Chrome 59, which will revoke trust in certificates that have a validity period of over 33 months.
This will put enormous pressure on Symantec, as the company will have to contact all customers, validate their identity and the ownership of their domains all over again, and replace their existing certificates with new ones, most likely at no cost.
Some companies will likely have problems replacing their certificates on such short notice, as they might be used in payment terminals and other hard-to-reach embedded devices.
In addition to that, Symantec might have to refund customers who paid for EV certificates that will no longer be recognised as such in Chrome, since their value would be significantly reduced. The ban on Symantec EV certificates will last for at least one year.
All replacement certificates issued by Symantec to customers will need to have a validity period of nine months or less in order to be trusted in Chrome. This is likely to cause further problems for some large companies, which won’t be able to easily replace their certificates every nine months.
It is safe to say that Google’s sanctions might have a significant impact on Symantec’s SSL business, as the company is likely to lose customers who won’t be willing to put up with these restrictions and will take their business to a different certificate authority (CA).
Browser vendors have punished CAs before for improperly issuing certificates – or “mis-issuing” them, in industry parlance – but never on this scale and with an impact so large on the ecosystem. Some people have always wondered if browser vendors can really take drastic sanctions against the world’s largest CAs, or whether those authorities are simply too big to fail.