Google Pummelling Symantec To Ensure Better Internet Encryption

For all that world may consider Google to be, it is definitely the Dean of the Internet, in many ways.

In that role, and to drive better user privacy and internet security, Google has taken on Symantec over it’s (Symantec’s) role in ensuring the sanctity of the encrypted portions of the internet.

Google, who had previously accused Symantec and its partners of mis-issuing tens of thousands of certificates that certified encrypted web connections, quietly announced this week that it (Google) is downgrading the level and length of trust that Chrome will place in certificates issued by Symantec.

Before we delve into this further, let us pause for a moment and help you understand the kinds of certificates we’re referring to, what Symantec does and what are the implications of mis-issuing certificates for encrypted web connections.

Well, there are two kinds of sites usually, the ones with HTTP, and the ones with HTTPS prefixes. First up, the same site can have two different versions or just one, depending on their own motives.
HTTPS connections are usually found on banking sites, login pages, and sites which need an extra layer of security. This ‘S’ in the address, the extra layer of security is certified by deputed Certificate Authorities, who verify the identity of the website’s owner and check for some mandatory security protocols having been adhered to by the website, and only then, issue the site a certificate authenticating that they are who they say they are and that the necessary protocols are in place.

Think of this like a passport issuing authority.
Once a passport is issued by a legit authority, everyone in the world considers it valid and thus deems the information on the passport as being valid. The onus of checking the information lies upon the authority in the equation.
Similarly, once a certificate has been issued, everyone in the world is expected to trust it. But there is a catch.

The onus of the verification, in the Internet world also lies on the certificate issuing authority. Without their authentication of a website owner’s identity, users can’t trust that the site on the other end of their HTTPS connection is really who they think it is. Makes sense, up until here?!

Well, Symantec is a giant in the world of these certificate authorities. It’s certificates vouched for about 30% of the entire internet, in 2015! So we must believe that they have been doing their job properly and they are trustable.

Google, however, does not think so.

Google claims that Symantec has issued at least 30,000 certificates without properly verifying the websites that received the certificates. The allegation is thus quite grave. Not only does it undermine the trust users can place in the encrypted web, it also leaves the user in a limbo, not knowing if the sites they have been relying on owing to the HTTPS tag, can really after all be trusted, or not.

Google has been claiming that Symantec’s behavior failed to meet the baseline requirements for a Certificate Authority, creating what it termed as “significant risk for Google Chrome users”.
To add to this, Ryan Sleevi, a Software Engineer at Google, said, “Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them. These issues, and the corresponding failure of appropriate oversight spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared”.

Google also pointed out that Symantec partnered with other CAs, like CrossCert (Korea’s Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A., and did not follow proper verification procedures. This allegedly led to the mis-issuance of 30,000 certificates.

This is not the first time that Symantec and Google have gone head to head. The spat has been on for over a year now.
Back in October 2015, Google discovered that Symantec has mis-issued certificates for Google itself and for Opera Software. “Our investigation uncovered no evidence of malicious intent, nor harm to anyone”, Symantec had stated back then. But that did not allay Google’s concerns.

Google, has now taken steps to mitigate possible impacts to users. It stated that it will begin the process of distrusting Symantec-issued certificates in its Chrome browser.
It is said that Google will update Chrome’s code, which would reduce the length of time the browser trusts a Symantec-issued certificate. This would then also over time, require sites to replace old Symantec certificates with newer, trusted ones.

“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,” Sleevi wrote in a forum post outlining the case against Symantec. “This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”

Symantec’s response so far has been: “Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates — not 30,000 — were identified as mis-issued, and they resulted in no consumer harm. While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs”.

Symantec has also stated that they are open to discussion with Google, to try to resolve the situation. Symantec has purportedly cut ties with four of the firms associated with the mis-issued certificates. That might help them save some face with Google when they do come to a discussion table.

“Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post”, the company said.

For website owners who currently use Symantec to verify their HTTPS connections: You should, in the meantime, start taking steps to ensure Chrome users can access your sites without getting hit with security warnings!

Originally published at Chip-Monks.