Google to sanction Symantec for misissuing security certificates
In a post on a developers’ forum, software engineer on the Google Chrome team Ryan Sleevi has announced Google’s plan to start gradually distrust all existing Symantec-issued certificates, and push for their replacement with new, fully revalidated certificates that will be compliant to the current baseline requirements.
“As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs,” Sleevi explained.
“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.”
Google is also definitely not happy with how Symantec responded to several issues regarding the issuance of certificates that arose in the last two years: a lack of timely updates on their actions, a failure to provide timely information needed by the community to assess the significance of the issues, and inadequate remediation steps.
Sleevi says that the Google Chrome team has been investigating Symantec Corporation’s failures to properly validate certificates for the last two months, and they concluded that at least 30,000 certificates have been misissued by them.
All this has led to the proposal that Google Chrome be made to gradually decrease the “maximum age” of Symantec-issued certificates over a series of releases, up until reaching a final 9 months validity in Chrome 64 (the current version of the browser is 57).
Finally, he proposes that Extended Validation certificates issued by Symantec and Symantec-owned certificate authorities be no longer recognised as such, “until such a time as the community can be assured in the policies and practices of Symantec.” This change would mean that Chrome would stop showing the name of the validated domain name holder in the address bar.
While this last change would not affect the availability of the many, many websites using Symantec-issued certificates, the slow decrease of the length of their validity is needed to not seriously impact it.
“By phasing such changes in over a series of releases, we aim to minimize the impact any given release poses, while still continually making progress towards restoring the necessary level of security to ensure Symantec issued certificates are as trustworthy as certificates from other CAs,” Sleevi noted.
“This proposal allows for web developers to continue to use Symantec issued certificates, but will see their validity period reduced. This ensure that web developers are aware of the risk and potential of future distrust of Symantec-issued certificates, should additional misissuance events occur, while also allowing them the flexibility to continue using such certificates should it be necessary.”
Symantec is still preparing a full response to this proposal.