Google To Remove A Symantec Root Certificate From Chrome And Android

By Lucian Armasu
published

Google announced that the root certificate called “Class 3 Public Primary CA,” which is operated by Symantec, will be removed from the Chrome and Android as a trusted root certificate.

The announcement came after Symantec said that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements. Google believes that abiding by those requirements, which reflect the industry’s best practices, is necessary for public certificates to be trusted. Not abiding by them is an “unacceptable risk,” according to Google, which is why it will stop trusting this root certificate in its products.

Symantec notified Google that this root certificate will be used for “purposes other than publicly-trusted certificates,” but it didn’t specify what that means. Google noted that it can no longer ensure that this certificate won’t be used to “intercept, disrupt, or impersonate the secure communication of Google’s products or users.”

Google added that "this step is necessary because this root certificate is widely trusted on platforms such as Android, Windows, and versions of OS X prior to OS X 10.11, and thus certificates Symantec issues under this root certificate would otherwise be treated as trustworthy."

Symantec said that website owners shouldn’t be affected by the removal of this certificate from Chrome and Android. If Symantec's Class 3 Public Primary CA root certificate is no longer safe, then we should soon see it removed from other operating systems and browsers, as well.

Symantec’s notification to Google about this particular root certificate comes not long after Google began paying close attention to what kind of certificates Symantec is issuing. Earlier this fall, Google discovered that thousands of bad Symantec certificates were being issued for certain domains, including Google’s own domains, even though these companies never requested them.

Google even gave Symantec an ultimatum that it needs to start using the Certificate Transparency public log system by next summer next or it risks having all of its certificates banned from Chrome and Android. Google requested this so that it, as well as everyone else, would be able to see if Symantec continues to issue bad certificates.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
Topics
Security
9 Comments Comment from the forums
  • firefoxx04
    Good for google.

    Symantec sucks anyways
    Reply
  • captaincharisma
    considering Symantec's dire history it will probably improve performance by removing it
    Reply
  • Quixit
    It would probably be a good idea to delete this certificate from your Windows PCs as well. Can't be too careful.
    Reply
  • Haravikk
    On OS X.10 I found two certificates named "Class 3 Public Primary Certification Authority" but both are signed by Verisign, not sure how we're meant to know which ones belong to Symantec.
    Reply
  • SSS_DDK
    Actually had this problem on a friend's laptop (Mac) where Safari wouldn't open the wizzair website. Had to install Firefox to open the website. If this is linked to the bad certificate, let's hope not many more websites keep using it.
    Reply
  • Brzeczyszczykiewicz
    17112771 said:
    On OS X.10 I found two certificates named "Class 3 Public Primary Certification Authority" but both are signed by Verisign, not sure how we're meant to know which ones belong to Symantec.

    From Wiki:

    In 2010, Verisign sold its authentication business unit – which included SSL certificate, PKI, Verisign Trust Seal, and Verisign Identity Protection (VIP) services – to Symantec for $1.28 billion.
    Reply
  • JonnyDough
    Is Google doing this because Symantec is working with the NSA? If so, good for you Google.
    Reply
  • Kostas Kritsilas
    Google is doing this because Symantec is taking too many liberties with assigning certificates, both for certificates for companies that never requested them (including Google certificates) and its statement that it will not abide by the CA/Browser forum requirements,

    Symantec is basically abusing its authority as a trusted certificate authority, so Google is saying it is no longer trusted. Google did warn Symantec in the past over the issuing of Google certificates that it had never requested (Google is a certificate authority, so it doesn't need Symantec to issue certificates on Google's behalf).

    Reply
  • f-14
    i already removed them after the first report symantec was handing out trust like candy to the world for free and i have been removing verisign certificates since windows95b
    Reply