Google ditches Symantec over sloppy certs

Google Chrome developers have announced that they will limit the transport layer security certificates sold by Symantec-owned issuers with an immediate effect.

The announcement from Google Chrome base came after the Symantec was found to have bad certificate-issuance practices. One of the biggest suppliers of HTTPS credentials has allegedly mis-issued over 30,000 certificates.

Ryan Sleevi, a staff software engineer at Google posted “ Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years” .

Also, Sleevi wrote that Chrome will stop acknowledging the extended validation status of all certs issued by Symantec-owned certificate authorities. All these certs were used to display the name of the validated domain name holder within the address bar- a feature which enhances the security. He also assured that Chrome will not support that data for at least a year.

" Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them," Sleevi explained. " This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs."

He claimed that Symantec did not adhere to these principles, and it may pose a " significant risk" for users of Google’ s Chrome

" Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi added on his post.

And, Sleevi concluded his post by stating that, Team Google Chrome’ s confidence on Symantec has diminished, and will not grant Symantec-issued certificates the ' Extended Validation' status.

The move from Chrome will have a big impact as Symantec certs accounts for more than 30 percent of the internet' s valid certificates. Potentially, Chrome users will no longer be able to access a vast range of sites.

Symantec, on its part, addressed the issue by strongly objecting the move from Google. It released a statement on Friday stating that

For its part, Symantec issued a statement on Friday " strongly" objecting to Google' s move, saying the action was unexpected and dissed the claims made by Google Chrome on its blog as irresponsible.

" Google' s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading," the statement read. " For example, Google' s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates &ndash not 30,000 &ndash were identified as miss-issued, and they resulted in no consumer harm."

Symantec stated that it has taken measures to fix this particular problem and terminated the partner' s designation as a registration authority (RA).