Google Chrome to Downgrade and eventually Disregard Symantec SSLs for Mis-issuing 30,000 EV Certificates


If your site uses a Symantec SSL certificate, then it might be a good time to replace it as soon as possible.

After an investigation revealed that Symantec had mis-issued 30,000 Extended Validation (EV) certificates over the past few years, Google has announced that effective immediately, Google Chrome will stop recognizing the Extended Validation status of all certificates issued by Symantec.

Extended Validation status is supposed to provide a greater assurance of authenticity & security by displaying the domain owners’s name in the address bar.

google chrome extended validation ssl certificate

Therefore, as the name suggests, the SSL applicant needs to go through a more detailed validation process to obtain the certificate, where the Certificate Authority (CA) must establish the applicant’s legal entity, operational as well as physical existence before issuing the certificate.

 

The move came after the announcement was made by Ryan Sleevi, a software engineer on the Google Chrome Team.

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years

Symantec has responded by calling Google’s claim as “exaggerated and misleading”

We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible.

 

As per the announcement, Google Chrome will immediately stop displaying the information for all EVs issued by Symantec, at least for a period of 1 year, till Symantec fixes its processes. Also, Google Chrome will be updated to eventually nullify all currently valid certificates issued by Symantec owned CAs.

Since this move can potentially prevent millions of Chrome users from accessing large number of sites, Google has proposed a step-by-step approach to tackle the issue and minimize disruption for users:

  1. All Symantec-issued EV certificates will be immediately downgraded to less-secure domain validated certificates for at least 1 year. This means Google Chrome will not display the additional domain owner’s name in the address bar.
  2. Reduce the validity of newly issued Symantec certificates to 9 months or less, to minimize the impact of future mis-issuances.
  3. An incremental distrust, under which the maximum age of Symantec-issued certificates will be reduced over a series of Google Chrome updates, requiring the certificates to be revalidated & re-issued. Chrome 59 will limit the validity to 33 months. By Chrome 64, wit will be reduced to 9 months.

It’s appreciable that Google is doing what needs to be done. What remains to be seen is if other browsers follow suit.

Comments

comments