Google says security firm Symantec has been misissuing certificates, which led to users being exposed to ‘significant dangers’. For that reason, the search engine giant decided to downgrade the level of trust it has in these certificates.
Since it started investigating the matter, Google allegedly found up to 30,000 ‘problematic’ certificates. So, by early 2018, Chrome 64 will only trust Symantec certificates issued for 27 days, or less. Google has also proposed removing Symantec’s Extended Validation status for at least a year.
According to Google, Symantec has not upheld expected security practices. Symantec, on the other hand, finds the comments ‘unexpected’.
“First and foremost, I want to reassure you that you can continue to trust Symantec SSL/TLS certificates. Google has outlined proposals, not actions. We object to its proposals and intend to engage with Google to work through its concerns,” Symantec said in a blog post here.
“Issues emerging about the trust and validity of Symantec certificates is just one more example of how fragile the system of trust and privacy for the Internet is and the reality is that most organisations are not prepared to respond effectively to them,” commented Kevin Bocek, chief cybersecurity strategist, Venafi.
This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS - quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this.
Google is the half-ton gorilla on this issue. It is likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies of these questionable Symantec certificates because they turn on padlocks that let users know their transactions are secure.
Solving this problem will be a massive challenge for businesses and governments.”
Image Credit: Antb / Shutterstock