Google, which has accused Symantec and its partners of misissuing tens of thousands of certificates for encrypted web connections, quietly announced Thursday that it’s downgrading the level and length of trust Chrome will place in certificates issued by Symantec.
Encrypted web connections — HTTPS connections like those on banking sites, login pages or news sites like this one — are enabled by Certificate Authorities, which verify the identity of the website owner and issue them a certificate authenticating that they are who they say they are. Think of a Certificate Authority like a passport agency and the certificates they issue like passports. Without the CA’s authentication of a website owner’s identity, users can’t trust that the site on the other end of their HTTPS connection is really their bank.
Symantec is a giant in the world of CAs — its certificates vouched for about 30 percent of the web in 2015. But Google claims that Symantec hasn’t been taking its responsibilities seriously and has issued at least 30,000 certificates without properly verifying the websites that received them. It’s a serious allegation that undermines the trust users can place in the encrypted web, and Google says it will begin the process of distrusting Symantec certificates in its Chrome browser. Symantec lashed out at Google’s claims, calling them “irresponsible” and “exaggerated and misleading.”
“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,” Google software engineer Ryan Sleevi wrote in a forum post outlining the case against Symantec. “This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
To remedy the situation, Sleevi said that Chrome would reduce the length of time the browser trusts a Symantec-issued certificate and, over time, would require sites to replace old Symantec certificates with newer, trusted ones.
Sleevi said that Symantec’s behavior failed to meet the baseline requirements for a Certificate Authority, creating what he called “significant risk for Google Chrome users.” He added:
Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.
These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.
Chrome’s spat with Symantec stretches back over more than a year. In October 2015, Google discovered that Symantec has misissued certificates for Google itself and for Opera Software.
Symantec investigated the issue and claimed that all of the misissued certificates had been issued as part of routine testing. “Our investigation uncovered no evidence of malicious intent, nor harm to anyone,” Symantec said at the time.
Symantec pushed back on Google’s current allegations Friday, saying that Google had singled out Symantec and had exaggerated the number of misissued certificates leading to the problem in the first place.
“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates — not 30,000 — were identified as mis-issued, and they resulted in no consumer harm,” Symantec wrote in a blog post. “While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.”
Google’s Sleevi said in another post that Symantec partnered with other CAs — CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A. — that did not follow proper verification procedures, which led to the misissuance of 30,000 certificates.
“Symantec has acknowledged they were actively aware of this for at least one party, failed to disclose this to root programs, and did not sever the relationship with this party,” he wrote. “At least 30,000 certificates were issued by these parties, with no independent way to assess the compliance of these parties to the expected standards. Further, these certificates cannot be technically identified or distinguished from certificates where Symantec performed the validation role.”
While Google and Symantec continue their fight — Symantec said it is “open to discussing the matter with Google in an effort to resolve the situation” — website owners that use Symantec to verify their HTTPS connections will need to start taking steps to ensure Chrome users can access their sites without getting hit with security warnings.
Symantec has severed ties with the four firms associated with the misissued certificates, so Chrome will trust new Symantec certificates going forward — site owners just need to swap out their old certificates for new ones.
Here’s the schedule, according to Sleevi:
To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. This will be accomplished by gradually decreasing the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum.
The proposed schedule is as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
Symantec, for its part, seems hopeful that Google will back off and not require any changes at all. “We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates. Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post,” the company said.