Google announced that the root certificate called “Class 3 Public Primary CA,” which is operated by Symantec, will be removed from the Chrome and Android as a trusted root certificate.
The announcement came after Symantec said that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements. Google believes that abiding by those requirements, which reflect the industry’s best practices, is necessary for public certificates to be trusted. Not abiding by them is an “unacceptable risk,” according to Google, which is why it will stop trusting this root certificate in its products.
Symantec notified Google that this root certificate will be used for “purposes other than publicly-trusted certificates,” but it didn’t specify what that means. Google noted that it can no longer ensure that this certificate won’t be used to “intercept, disrupt, or impersonate the secure communication of Google’s products or users.”
Google added that "this step is necessary because this root certificate is widely trusted on platforms such as Android, Windows, and versions of OS X prior to OS X 10.11, and thus certificates Symantec issues under this root certificate would otherwise be treated as trustworthy."
Symantec said that website owners shouldn’t be affected by the removal of this certificate from Chrome and Android. If Symantec's Class 3 Public Primary CA root certificate is no longer safe, then we should soon see it removed from other operating systems and browsers, as well.
Symantec’s notification to Google about this particular root certificate comes not long after Google began paying close attention to what kind of certificates Symantec is issuing. Earlier this fall, Google discovered that thousands of bad Symantec certificates were being issued for certain domains, including Google’s own domains, even though these companies never requested them.
Google even gave Symantec an ultimatum that it needs to start using the Certificate Transparency public log system by next summer next or it risks having all of its certificates banned from Chrome and Android. Google requested this so that it, as well as everyone else, would be able to see if Symantec continues to issue bad certificates.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
Symantec sucks anyways
Symantec is basically abusing its authority as a trusted certificate authority, so Google is saying it is no longer trusted. Google did warn Symantec in the past over the issuing of Google certificates that it had never requested (Google is a certificate authority, so it doesn't need Symantec to issue certificates on Google's behalf).