Home / News

Google to Distrust Symantec-Issued Certificates Amid Misuse

“Google to sanction Symantec for misissuing security certificates” – Zeljka Zorz reporting in Help Net Security: “In a post on a developers’ forum [link], software engineer on the Google Chrome team Ryan Sleevi has announced Google’s plan to start gradually distrust all existing Symantec-issued certificates, and push for their replacement with new, fully revalidated certificates that will be compliant to the current baseline requirements. ... Sleevi says that the Google Chrome team has been investigating Symantec Corporation’s failures to properly validate certificates for the last two months, and they concluded that at least 30,000 certificates have been misissued by them.”

Update / Symantec Backs Its CA: Symantec today published a blog post strongly objecting to Google’s action – “We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. ... Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. ... We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.”

Symantec vs. Google: The CA Fight Continues. What do you need to know? Johannes Ullrich / March 27: “Regardless if we agree or do not agree with Google’s action on this, here are some of the issues you need to be aware off: 1. Right now, this is just a proposal. Nothing has been implemented yet, and Google may change its mind, or change its schedule. 2. This issue will only affect Google Chrome users. Google Chrome is by some counts currently the most commonly used browser. But it will only affect HTTP(S), not other services like imap that are not supported by Chrome. It will also not affect internal web services that are not used by browsers…”

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com