Security Market Segment LS
Friday, 24 March 2017 09:14

Google to reduce trust level in Symantec-issued certificates

By

Google will reduce the trust level in Symantec-issued certificates following an investigation into a series of incidents where such certificates failed to validate properly.

The Chrome team said in a statement that its investigation, since 19 January, had resulted in unearthing answers from Symantec that indicated growing mis-issuance of certificates.

An initial set of what were 127 certificates had expanded to cover nearly 30,000 issued over several years, the team said.

Additionally, there was a previous instance of mis-issued certificates, in October 2015. In that case, 23 test certificates had been issued without the domain owner's knowledge, covering five organisations including Google and Opera.

In the same case, further probes by Symantec revealed that there were an additional 164 certificates over 76 domains and 2458 certificates issued for domains that were never registered.

The Chrome team said it was proposing to take the following steps:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimise any impact to Google Chrome users from any further mis-issuances that may arise;
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced; and
  • Removal of recognition of the Extended Validation status of Symantec-issued certificates, until such a time as the community could be assured of the policies and practices of Symantec, but no sooner than one year.

The statement also accused Symantec of not providing timely public updates about these issues.

"Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned," the statement said.

"The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy."

The Chrome team said it would be gradually reducing the level of trust in all Symantec-issued certificates as per the following timetable:

  • Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days);
  • Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days);
  • Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days);
  • Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days);
  • Chrome 63 (Dev, Beta): 9 months validity (279 days);
  • Chrome 63 (Stable): 15 months validity (465 days); and
  • Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days).

While the issue had been communicated to Mozilla, Microsoft and Apple, the Chrome team said: "Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."

It said while Mozilla conducted discussions regarding Certificate Authorities in public, it had not started discussing how best to protect users of the Firefox browser.

"Our hope is that this proposal may be seen as one that appropriately balances the security and compatibility risks with the needs of site operators, browsers, and users, and we welcome all feedback," the statement said.

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments