Putting things in order: Chrome and Firefox will end the credibility of Symantec certification center

As usual, a squeeze should be brought to Kata: due to problems in the organization of infrastructure work, irregularities in reporting and abuses that led to issuing Extended Validation (EV) certificates without the required checks, Google and Mozilla are currently planning a loss of trust to Symantec certificates .



As of December 1, 2017, Symantec has agreed to launch a new certificate issuance process, in which the company will not have its root certificate and will act as an agent of another certification authority, fulfilling the role of SubCA (Subordinate Certificate Authority) operating under external control (Managed CA) . Symantec certificates issued after December 1, 2017, will not fall under the lockout and, apparently, will continue to work.



In 2010, Symantec acquired the authentication business from VeriSign for $ 1.28 billion, thus becoming one of the largest certification authorities (with a share of 14% of all certificates in the world). However, even such a scale (and the expected increase in attention to its own infrastructure and processes) did not allow the company to conduct business fully correctly, which led, in the end, to multiple complaints from browser manufacturers.



In particular, the situation with the issuance of EV certificates was very acute. As you know, certificates of the Extended Validation (EV) level confirm the declared parameters of the owner identification, and, according to the rules, to obtain them, it is necessary to check the documents on the domain ownership, as well as the physical presence of the resource owner. In the case of Symantec, this verification was not performed properly, i.e. There is no guarantee that the owner’s credentials have always been verified. In the spring of 2017, Google drew attention to the fact that Symantec provided access to the infrastructure of the certification center to at least four third-party organizations that have been granted the authority to issue certificates. At the same time, Symantec has not ensured a proper level of supervision over them and has allowed them not to comply with the established service standards.

')

In response to requests, Symantec also could not provide on time reports with an analysis of the incidents that occurred. In particular, security researchers found that in January 2017, the Symantec certification center generated 108 incorrectly issued certificates. Earlier, Symantec was already involved in the scandal associated with issuing certificates to outsiders for other domains, in particular in the fall of 2015, several employees who were found to issue test certificates for domains were dismissed ( link to an archive copy of the page). domains google.com , gmail.com and gstatic.com ), without obtaining the consent of the owners of the domains - it is not surprising, therefore, that Google reacted to the situation without any cordiality.



In order to smooth out the consequences of terminating trust in Symantec certificates and give users time to renew their certificates, Chrome developers compromised and agreed to carry out the process step by step, giving Symantec the opportunity to restructure their organizational processes, fix problems in the infrastructure and switch to new root certificates.



The first phase of the termination of trust is scheduled for release of Chrome 66 , the release of which is expected April 17, 2018. At this stage, confidence in Symantec certificates issued prior to June 1, 2016 will be lost. It should be noted that Mozilla discusses a proposal for applying the first blocking phase, starting December 1, 2017, i.e. four months earlier, but most likely, a date close to April 2018 will be finally approved. Google also considered blocking the October and December issues of Chrome 62 and 63, but deferred blocking to Chrome 66, taking into account the industry’s wishes.



Full termination of support for Symantec certificates is expected in Chrome 70 (scheduled for October 23, 2018). Mozilla plans to end reliance on Symantec certificates in Firefox 63 (October 16, 2018) or 64 (November 27, 2018). To avoid problems, sites with Symantec certificates are advised not to delay the renewal of the certificate. The loss of trust will also affect certificates from GeoTrust, Thawte, and RapidSSL certifying centers, which have been linked by a trust chain to the Symantec root certificate.



In the future, Symantec will be able to simultaneously carry out a complete restructuring of its infrastructure, eliminating weaknesses in the current chain of interaction with subordinate organizations and partners that have been delegated the right to issue certificates. Symantec also does not exclude the possibility of selling the certificate division.



So, the company, which has so successfully managed to sell the very idea of ​​security, is not the first time to have in the center of scandals and problems associated with the solutions it offers.



What if you bought a certificate from Symantec or from one of their related companies? Perform a regular reissue of the certificate from your CA. When ordering directly, this is done on the CA website, when ordering through a partner, you can re-release it on the partner's website or on centralized products.websecurity.symantec.com / ... (also works for rapidssl / geotrust / thawte) - thanks to borisko for this clarification!