Welcome to WebmasterWorld Guest from 3.84.139.101

Forum Moderators: open

Message Too Old, No Replies

Google To Deprecate and Remove Trust From 30,000 Symantec-issued Extended Validation Certificates

     
8:48 pm on Mar 24, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26181
votes: 966


Google Chrome intends to deprecate and remove trust in Symantec-issued Extended Validation certificates.

According to Google, a continually increasing scope of misissuance means the company has taken this move, involving at least 30,000 certificates issued.

Google proposes...
  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.

  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.

  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year. Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates [groups.google.com]


  • Symantec has hit back with an official blog post strongly objecting to Google's action, calling it "unexpected" and the "blog post was irresponsible."
    Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. Symantec Backs Its CA [symantec.com]


    I have to admit, on the face of it, Google's action does seem very public without any apparent dialog with Symantec.
    10:48 am on Mar 25, 2017 (gmt 0)

    Moderator from US 

    WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Nov 11, 2000
    posts:12311
    votes: 395


    A hashtag in the link above to the Google Groups post is broken in the WebmasterWorld redirect script. Here's a link that works to the Google Groups announcement....

    Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates
    announcement
    [groups.google.com...]

    Additionally, here's a working link to a Google Groups discussion thread from the first post above, but all the posts in the thread are collapsed...

    Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates
    71 posts by 40 authors
    [groups.google.com...]

    Note that the expanded first post in the discussion thread explains and perhaps softens Google's action as described in the above announcement somewhat, so I'm quoting it at length....

    As (perhaps incompletely) explained in the initial message, [groups.google.com...] , this only proposes a change in trust status related to the "existing" Symantec-issued certificates, and describes a proposal on how to restore that trust to sufficient levels, so as to avoid the need to distrust any root CAs. Distrusting the root CA keys involved carries with it a non-trivial degree of compatibility and interoperability risk, as explained, and so this proposal is an attempt to find a balance between that risk and the security needs of users and site operators - both those that have Symantec-issued certificates and those that do not.

    As explained earlier on this thread, while the set of 30,000 certificates relate to those improperly validated by improperly supervised delegated third parties, the inability to technically identify these certificates or sufficiently independently assess that the issues are limited to these certificates make it necessary to either accept an unknown security risk, or to take appropriate measures, as proposed, to balance that risk. As Symantec has already indicated they have terminated their relationship with these partners regarding new certificate issuance, we have some degree of assurance that new certificates will comply with the expected policies and practices. As with any CA, there is an element of trust inherent in making such a decision, but anything short of distrust inherently means to trust. This proposal attempts to restore that trust to the sufficient and necessary level, by describing a process and set of changes that can be made to Chrome to provide a sufficient level of assurance, and to mitigate further risks should that trust be found to be misplaced.

    There's also an Ars Technnica article about the developments over time
    Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs[updated]
    Dan Goodin 03/24/2017
    [arstechnica.com...]

    Noted in the article (my emphasis added)...
    Thursday's announcement is only the latest development in Google's 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.

    Don't miss the comments after the articles.

    As a personal aside, based on grim experience with Symantec, I'm wondering whether Google might have only managed to get through to Symantec Level One tech support, in which case its very likely that a lot of time was wasted waiting on the phone, but no useful information was exchanged. ;) :(

    6:24 pm on Mar 26, 2017 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Apr 25, 2002
    posts:8637
    votes: 283


    Or Symantec was only able to contact Google by clicking on the "Was this page helpful" link and sending feedback in the comments.
    6:54 am on Mar 27, 2017 (gmt 0)

    Moderator from US 

    WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Nov 11, 2000
    posts:12311
    votes: 395


    Or Symantec was only able to contact Google by clicking on the "Was this page helpful" link and sending feedback in the comments.
    ;)

    ...OR, both Google and Symantec were unsuccessful and as an alternative tried using Google Groups, only to discover that neither company could find the same post twice. ;)

    5:41 pm on Mar 29, 2017 (gmt 0)

    Full Member

    10+ Year Member

    joined:July 29, 2003
    posts: 256
    votes: 2


    Namecheap is offering free Comodo SSL certificates as replacement of Symantec ones for full term left on certs

    [namecheap.com...]