Friday March 24, 2017

Google Doesn't Trust Symantec Security Checks

Google Chrome will start rejecting some certificates issued from Symantec on the basis that Symantec isn't validating them correctly. According to a Google blog post, it started as 127 certificates and then grew to some 30,000 standard and extended certificates being suspect. Symantec is very upset and called Google's claims, "exaggerated and irresponsible." They also want to know why they are being singled out when others have been accused of doing the same. The end result is that Google Chrome will start warning users of potential certification issues at websites using Symantec certificates and some will even be blocked by the browser.

Regardless of Symantec's feelings, they should take responsibility and fix the issue. All of this hoping that it will be swept under the rug and forgotten isn't going to fix the issue. I think Google is in the right in regards to this matter.

News Image

As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.

On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.

These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.

Discussion