Google has announced plans to reduce the trust in Symantec TLS certificates until a point is reached in early 2018 where Chrome 64 will only trust certificates issued for 279 days or less from the security giant and its subsidiaries.
Posting to the Blink development mailing list, Google engineer Ryan Sleevi said that following a “series of failures” by Symantec, Google believes its users face significant risk.
“Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,” Sleevi said.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organisations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner, or to identify the significance of the issues reported to them.”
Along with the trust reduction, Sleevi proposed removing Symantec’s Extended Validation status for at least one year, and requiring all existing valid certificates issued by the company to be reissued.
Sleevi pointed out that due to Symantec providing more than 30 percent of all certificates, an outright and immediate ban would not work, hence the gradual reduction in trust.
“Compatibility risk is especially high for Symantec-issued certificates, due to their acquisition of some of the first CAs [certificate authorities], such as Thawte, Verisign, and Equifax, which are some of the most widely supported CAs,” the Google engineer said.
“Distrusting such CAs creates further difficulty for providing secure connections to both old and new devices alike, due to the need to ensure the CA a site operator uses is recognised across these devices.”
Google has not taken unilateral action against Symantec, because if only one browser distrusts a CA, users view it as a browser issue, Sleevi said.
“Our hope is that this proposal may be seen as one that appropriately balances the security and compatibility risks with the needs of site operators, browsers, and users, and we welcome all feedback,” he said.
In October 2015, Google fired a warning shot at Symantec, telling it to increase transparency following the issuing of so-called test certificates covering google.com and www.google.com, which the search giant did not request.
It was later found that Symantec had issued test certificates for Opera, as well as 2,458 certificates for domains that were never registered.
By December 2015, Google had distrusted one of Symantec’s root certificates within Chrome and Android.
Earlier this year, Symantec revoked a number of misused certificates covering domains such as example.com, test1.com, test2.com, and test.com.