Google To Distrust Symantec Certificates

Google announced that it will start gradually distrusting Symantec’s certificates, after Symantec was caught improperly issuing 30,000 certificates over the past few years. Symantec’s Extended Validation (EV) certificates will also no longer be recognized--effective immediately--for at least a year, until the company fixes its certificate issuance processes to the point where they can be trusted again.

Google's Eventful History With Bad Symantec Certificates

Back in 2015, Google discovered that one of Symantec’s EV certificates was issued for its domain, even though the company never requested nor authorized it. The whole point of EV certificates is to prove that the company owning that certificate is who it says it is. If EV certificates for certain domain names are being issued to other entities that don’t own those domain names, then there would be no value in website developers even getting EV certificates anymore. The credibility of those certificates would be compromised.

A month later, after Symantec did an internal audit and after Google took a closer look at how Symantec was issuing certificates, the two companies learned that there were over 2,000 certificates that were improperly issued. Following this new discovery, Google required Symantec to adopt the Certificate Transparency monitoring system for issued certificates by the following summer, so that new certificates that are incorrectly issued are easier to catch.

Later in 2015, Google announced that it would remove one of Symantec’s root certificates (Class 3 Public Primary CA) from Chrome and Android as a trusted root certificate.

Symantec’s Untrustworthy Certificate Validation System

Google’s Chrome team has been investigating a series of failures by Symantec to properly validate its certificates. During the investigation, the Chrome team learned with each new question they were posing to Symantec that the certificate authority’s (CA) validation processes were not up to par. As such, while the initial investigation discovered 127 improperly issued certificates, that number eventually turned into 30,000 certificates that Symantec had issued incorrectly over the past few years.

To restore the confidence users have in the Chrome browser and its ability to keep website communications secure, Google proposed the following steps:

A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

Google plans to gradually reduce the “maximum age” of Symantec certificates over the course of several Chrome releases. The proposed schedule to distrust existing Symantec certificates is as follows:

Chrome 59 (Dev, Beta, Stable): 33 months validity (1,023 days)Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)Chrome 63 (Dev, Beta): 9 months validity (279 days)Chrome 63 (Stable): 15 months validity (465 days)Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)

Therefore, starting with Chrome 64, all existing Symantec certificates will be assigned a validity period of nine months from that point forward. Chrome 64 is expected to come out early 2018. Starting with Chrome 61, new Symantec certificates will have to be no more than nine months old.

Google added that it recognizes that having only one browser distrust a CA may bring the blame to that browser, when things start breaking for both website operators and users, rather than on the CA that failed to validate its issuance processes. This is why the company hopes that the other browser vendors will take similar action against Symantec, as they have done before against WoSign.

The recent restrictions applied to both WoSign and Symantec should put all certificate authorities on alert, if their issuance procedures aren’t properly audited and validated. The browser vendors may soon start looking for new places in which certificates aren’t properly validated, and may put similar restrictions on those CAs. Such restrictions can mean serious consequences for the bottom line of a CA, but it’s also the only real way to ensure that they don’t misbehave or don’t take the security of their certificates seriously.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • dutty handz
    Isn't Chrome using the certificates store from Windows ? I know Mozilla uses its own certificate store, but I was lead to believe that Chrome was using Windows certificate store, as in our company we add certificates through GPO to the Windows Certificate store and those imported certificates are then used in Chrome.
  • Ashraf_17
    I think Symantec is a garbage of duplicates, Keep Going Symantec. Still Certificate Authorities are silent.
  • dark_lord69
    "Symantec’s Untrustworthy Certificate Validation System"
    You didn't have to say the "Certificate Validation System" part.

    Their software is a Joke. The corporation I work for used all of their software and it all sucks and crashes all the time. They need to just give up or fire half the company and keep any GOOD programmers or just sell the whole company.
  • SinxarKnights
    Uh wow that is quite nasty.
  • AdkEric
    Shit company at war with another shit company....
  • tsnor
    Wow. They were making fake "trusted" certificates. I wonder what they were used for, and by whom.

    Great article, glad you posted it.
  • SinxarKnights
    19472251 said:
    I wonder what they were used for, and by whom.

    Yeah me too. That is actually sorta scary there are so many fake ones in the wild.
  • tsnor
    19467664 said:
    Isn't Chrome using the certificates store from Windows ? I know Mozilla uses its own certificate store, but I was lead to believe that Chrome was using Windows certificate store, as in our company we add certificates through GPO to the Windows Certificate store and those imported certificates are then used in Chrome.

    You are correct for adding certificate:

    "Google Chrome

    "Google Chrome attempts to use the root certificate store of the underlying operating system to determine whether an SSL certificate presented by a site is indeed trustworthy, with a few exceptions.
    Root Certificate Programs

    "In order for Chrome to be able to trust a root certificate, it must either be included by the underlying operating system or explicitly added by users. If you are a root CA, the following contacts should be used:
    Microsoft Windows: Microsoft Root Certificate Program.
    Apple OS X: Apple Root Certificate Program
    Linux: There is no central root certificate program as part of Linux. When running on Linux, Google Chrome uses the Mozilla Network Security Services (NSS) library to perform certificate verification. When packaged or built from source, NSS includes certificates vetted according to the Mozilla Root Certificate Program. For most Linux users, it is sufficient that once included in the Mozilla Root Program, users of Google Chrome should see your root CA as trusted. However, please be aware that Linux distributions which package NSS may further alter this list with additions or removals based on local, distribution-specific root certificate programs, if any."

    However there are also two processes for REVOKING trust on an issued certificate. One uses "Certificate Revocation Lists" which are not used by default except for EV certificate like the ones listed here. The other process is a batch update process where google collects all the revoked certificates and sends them as a batch update to chrome.
  • memadmax
    I work for a very large anti-virus company and I can tell you this: this little feud is causing havoc on a scale never before seen... Behind the scenes of course...

    Anyways, it's quieted down a bit, hopefully it stays that way...