Security Market Segment LS
Friday, 24 March 2017 09:14

Google to reduce trust level in Symantec-issued certificates


Google will reduce the trust level in Symantec-issued certificates following an investigation into a series of incidents where such certificates failed to validate properly.

The Chrome team said in a statement that its investigation, since 19 January, had resulted in unearthing answers from Symantec that indicated growing mis-issuance of certificates.

An initial set of what were 127 certificates had expanded to cover nearly 30,000 issued over several years, the team said.

Additionally, there was a previous instance of mis-issued certificates, in October 2015. In that case, 23 test certificates had been issued without the domain owner's knowledge, covering five organisations including Google and Opera.

In the same case, further probes by Symantec revealed that there were an additional 164 certificates over 76 domains and 2458 certificates issued for domains that were never registered.

The Chrome team said it was proposing to take the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimise any impact to Google Chrome users from any further mis-issuances that may arise;
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced; and
  • Removal of recognition of the Extended Validation status of Symantec-issued certificates, until such a time as the community could be assured of the policies and practices of Symantec, but no sooner than one year.

The statement also accused Symantec of not providing timely public updates about these issues.

"Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned," the statement said.

"The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy."

The Chrome team said it would be gradually reducing the level of trust in all Symantec-issued certificates as per the following timetable:

  • Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days);
  • Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days);
  • Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days);
  • Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days);
  • Chrome 63 (Dev, Beta): 9 months validity (279 days);
  • Chrome 63 (Stable): 15 months validity (465 days); and
  • Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days).

While the issue had been communicated to Mozilla, Microsoft and Apple, the Chrome team said: "Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."

It said while Mozilla conducted discussions regarding Certificate Authorities in public, it had not started discussing how best to protect users of the Firefox browser.

"Our hope is that this proposal may be seen as one that appropriately balances the security and compatibility risks with the needs of site operators, browsers, and users, and we welcome all feedback," the statement said.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments