Google’s Chrome team is unhappy with the loose way in which Symantec issues transport layer security (TLS) certificates, and is considering incremental distrust Symantec TLS certificates moving forward. This planned step was announced by Google due to “a continually increasing scope of misissuance” from Symantec. It plans to reduce the trust on the biggest issuers of security certificates gradually, as well as revoke recognition of their extended versions for a year.
Ravi Sleevi, a software engineer on the Google Chrome team, wrote on the Blink online forum that the Chrome developers “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
Sleevi has proposed a reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less. Furthermore, he also proposes the removal of recognition of the Extended Validation status of all certificates issued by Symantec for at least a year. This will put the company into a lot of pressure, as its customers will then demand a refund. Lastly, Sleevi also proposed “incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.”
Taking into account the last 30,000 certificates issued by Symantec since January 19, Google claims that the security firm hasn’t done enough to verify the site, and ensure that the certificates are issued correctly. “Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs,” Sleevi explains in the forum further claiming that Symantec has failed to follow these principles.
Symantec, on the other hand, strongly opposes these accusations and calls them “exaggerated and misleading”, as per a BBC report. The company claimed that out of the 30,000, only 127 were identified as wrongly issued, and that it feels that Google has ‘singled it out’ over the other certificate issuers that are also at fault. “We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners,” Symantec told BBC in a statement.