Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
Chrome to immediately stop recognizing EV status and gradually nullify all
By Dan Goodin
Mar 23 2017
In a severe rebuke of one of the biggest suppliers of HTTPS credentials,
Google Chrome developers announced plans to drastically restrict transport
layer security certificates sold by Symantec-owned issuers following the
discovery they have issued more than 30,000 certificates.
Effective immediately, Chrome plans to stop recognizing the extended
validation status of all certificates issued by Symantec-owned certificate
authorities, Ryan Sleevi, a software engineer on the Google Chrome team,
said Thursday in an online forum. Extended validation certificates are
supposed to provide enhanced assurances of a site’s authenticity by showing
the name of the validated domain name holder in the address bar. Under the
move announced by Sleevi, Chrome will immediately stop displaying that
information for a period of at least a year. In effect, the certificates
will be downgraded to less-secure domain-validated certificates.
More gradually, Google plans to update Chrome to effectively nullify all
currently valid certificates issued by Symantec-owned CAs. With Symantec
certificate representing more than 30 percent of the Internet’s valid
certificates by volume in 2015, the move has the potential to prevent
millions of Chrome users from being able to access large numbers of sites.
What’s more, Sleevi cited Firefox data that showed Symantec-issued
certificates are responsible for 42 percent of all certificate validations.
To minimize the chances of disruption, Chrome will stagger the mass
nullification in a way that requires they be replaced over time. To do
this, Chrome will gradually decrease the “maximum age” of Symantec-issued
certificates over a series of releases. Chrome 59 will limit the expiration
to no more than 33 months after they were issued. By Chrome 64, validity
would be limited to nine months.
Thursday’s announcement is only the latest development in Google’s 18-month
critique of practices by Symantec issuers. In October 2015, Symantec fired
an undisclosed number of employees responsible for issuing test
certificates for third-party domains without the permission of the domain
holders. One of the extended-validation certificates covered google.com and
www.google.com and would have given the person possessing it the ability to
cryptographically impersonate those two addresses. A month later, Google
pressured Symantec into performing a costly audit of its certificate
issuance process after finding the mis-issuances went well beyond what
Symantec had first revealed.
In January, an independent security researcher unearthed evidence that
Symantec improperly issued 108 new certificates. Thursday’s announcement
came after Google’s investigation revealed that over a span of years,
Symantec CAs have improperly issued more than 30,000 certificates. Such
mis-issued certificates represent a potentially critical threat to
virtually the entire Internet population because they make it possible for
the holders to cryptographically impersonate the affected sites and monitor
communications sent to and from the legitimate servers. They are a major
violation of the so-called baseline requirements that major browser makers
impose of CAs as a condition of being trusted by major browsers.