Google announced that it will start gradually distrusting Symantec’s certificates, after Symantec was caught improperly issuing 30,000 certificates over the past few years. Symantec’s Extended Validation (EV) certificates will also no longer be recognized--effective immediately--for at least a year, until the company fixes its certificate issuance processes to the point where they can be trusted again.
Google's Eventful History With Bad Symantec Certificates
Back in 2015, Google discovered that one of Symantec’s EV certificates was issued for its Google.com domain, even though the company never requested nor authorized it. The whole point of EV certificates is to prove that the company owning that certificate is who it says it is. If EV certificates for certain domain names are being issued to other entities that don’t own those domain names, then there would be no value in website developers even getting EV certificates anymore. The credibility of those certificates would be compromised.
A month later, after Symantec did an internal audit and after Google took a closer look at how Symantec was issuing certificates, the two companies learned that there were over 2,000 certificates that were improperly issued. Following this new discovery, Google required Symantec to adopt the Certificate Transparency monitoring system for issued certificates by the following summer, so that new certificates that are incorrectly issued are easier to catch.
Later in 2015, Google announced that it would remove one of Symantec’s root certificates (Class 3 Public Primary CA) from Chrome and Android as a trusted root certificate.
Symantec’s Untrustworthy Certificate Validation System
Google’s Chrome team has been investigating a series of failures by Symantec to properly validate its certificates. During the investigation, the Chrome team learned with each new question they were posing to Symantec that the certificate authority’s (CA) validation processes were not up to par. As such, while the initial investigation discovered 127 improperly issued certificates, that number eventually turned into 30,000 certificates that Symantec had issued incorrectly over the past few years.
To restore the confidence users have in the Chrome browser and its ability to keep website communications secure, Google proposed the following steps:
- A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
- An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
- Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.
Google plans to gradually reduce the “maximum age” of Symantec certificates over the course of several Chrome releases. The proposed schedule to distrust existing Symantec certificates is as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1,023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
Therefore, starting with Chrome 64, all existing Symantec certificates will be assigned a validity period of nine months from that point forward. Chrome 64 is expected to come out early 2018. Starting with Chrome 61, new Symantec certificates will have to be no more than nine months old.
Google added that it recognizes that having only one browser distrust a CA may bring the blame to that browser, when things start breaking for both website operators and users, rather than on the CA that failed to validate its issuance processes. This is why the company hopes that the other browser vendors will take similar action against Symantec, as they have done before against WoSign.
The recent restrictions applied to both WoSign and Symantec should put all certificate authorities on alert, if their issuance procedures aren’t properly audited and validated. The browser vendors may soon start looking for new places in which certificates aren’t properly validated, and may put similar restrictions on those CAs. Such restrictions can mean serious consequences for the bottom line of a CA, but it’s also the only real way to ensure that they don’t misbehave or don’t take the security of their certificates seriously.