Google recently announced that it would start progressively distrusting Symantec’s existing certificates over a period of several Chrome releases. Symantec doesn’t seem to like this plan, and it has instead proposed a number of alternative steps that it can take to improve its certificate validation process and prove that it’s properly issuing certificates.
Google To Distrust Symantec CA’s
Back in March, after Symantec was caught improperly issuing thousands of certificates, Google’s Chrome team announced a plan to gradually lower the “maximum age” of Symantec’s certificates to nine months. The Chrome browser would begin distrusting Symantec’s certificates starting with version 59 (it’s now at version 58) and end with version 64, which should be released in early 2018.
After the certificates would expire--in fall of 2018, at the latest--Symantec customers would need to use either new re-validated Symantec certificates or get their certificates from somewhere else. Starting with version 61 of Chrome, all new Symantec certificates would also need to have a maximum age of nine months.
Although there isn’t much Symantec could technically do to stop Google from distrusting its certificates, Symantec hopes to put some pressure on the maker of the most popular browser to reach a compromise. The company intends to show Google that too many companies depend on those certificates and that one year and a half may not be enough for them to transition to new certificates (an argument that may be debatable).
It’s in Symantec’s best interest to keep those customers using its certificates. Forcing those customers to change their certificates in a relatively short amount of time may not just reflect bad on Google, but also on Symantec, which is arguably the most at fault for not securing its certificate issuance processes. Prolonging the certificate expiration process could also help Symantec not lose as many customers to other certificate authorities.
Symantec’s 11-Point Transparency Plan
Symantec wants to double-down on transparency and third-party audits to prove that its certificate validation processes can be trusted. The company has come-up with an 11-point plan for how it can do that.
Symantec will pay a third-party auditor to perform a backward looking audit on all existing (and still valid) certificates. Symantec hopes this audit will be done by August 31, 2017.The company will also commission a third-party auditor to audit valid certificates that have been issued by partners of Symantec that can issue certificates in Symantec’s name. These include companies such as: CrossCert, Certisign, Certsuperior and Certisur. This audit should also be completed by August 31, 2017.The company will also conduct a six-month WebTrust audit for the period from December 1, 2017 to June 30, 2017. Afterwards, a quarterly WebTrust audit will be done for all newly issued certificates. A WebTrust audit can assess the adequacy and effectiveness of the controls employed by the certificate authority.Symantec will publish a quarterly letter to update the community on the progress it has made to improve its processes.The company will recommend the Certificate Authority and Browser (CA/B) Forum additional customer exception requests to baseline requests.Symantec committed to offering more prompt and more technically detailed responses to browsers that inquire about its processes.By August 31, 2017, the company will start offering certificates with only three months of validity for more flexible customers that also want to use its automated issuance services (similar to Let’s Encrypt).The certificate authority company will perform a domain revalidation of all issued certificates that have a validity period longer than nine months, at no extra cost to its customers.Symantec will increases its investment in security and risk assessment, and it will also pay a third-party to conduct a risk assessment of its operations. It expects this audit will be completed by October 31, 2017.The company will begin to offer root certificates or create sub-certificate authorities that focus on certain uses cases. For instance, it may offer a root certificate for closed-system set top boxes or point-of-sale systems.Symantec will begin to use its anti-malware services to look into encrypted websites to see if they pose any threat to internet users.
Being punished by a major browser such as Chrome can sometimes be a death sentence for a certificate authority, which is probably why Symantec seems to take this issue so seriously now. Perhaps without Google’s plan to distrust all of Symantec’s certificates, even gradually, the CA company wouldn’t have taken these steps to improve its processes.
It remains to be seen whether these steps are enough for Google to cancel its plan to distrust Symantec’s certificates. Google was not immediately available for a comment on this issue.