Home Security Google to reduce trust level in Symantec-issued certificates

Google will reduce the trust level in Symantec-issued certificates following an investigation into a series of incidents where such certificates failed to validate properly.

The Chrome team said in a statement that its investigation, since 19 January, had resulted in unearthing answers from Symantec that indicated growing mis-issuance of certificates.

An initial set of what were 127 certificates had expanded to cover nearly 30,000 issued over several years, the team said.

Additionally, there was a previous instance of mis-issued certificates, in October 2015. In that case, 23 test certificates had been issued without the domain owner's knowledge, covering five organisations including Google and Opera.

In the same case, further probes by Symantec revealed that there were an additional 164 certificates over 76 domains and 2458 certificates issued for domains that were never registered.

The Chrome team said it was proposing to take the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimise any impact to Google Chrome users from any further mis-issuances that may arise;
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced; and
  • Removal of recognition of the Extended Validation status of Symantec-issued certificates, until such a time as the community could be assured of the policies and practices of Symantec, but no sooner than one year.

The statement also accused Symantec of not providing timely public updates about these issues.

"Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned," the statement said.

"The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy."

The Chrome team said it would be gradually reducing the level of trust in all Symantec-issued certificates as per the following timetable:

  • Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days);
  • Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days);
  • Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days);
  • Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days);
  • Chrome 63 (Dev, Beta): 9 months validity (279 days);
  • Chrome 63 (Stable): 15 months validity (465 days); and
  • Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days).

While the issue had been communicated to Mozilla, Microsoft and Apple, the Chrome team said: "Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."

It said while Mozilla conducted discussions regarding Certificate Authorities in public, it had not started discussing how best to protect users of the Firefox browser.

"Our hope is that this proposal may be seen as one that appropriately balances the security and compatibility risks with the needs of site operators, browsers, and users, and we welcome all feedback," the statement said.


Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Guest Opinion


Sponsored News