Google has lost confidence in Symantec certificates

Google Chrome browser developers have announced a plan to phase out trust and re-issue old Symantec SSL certificates, revoke EV status, and reduce the term of future certificates to ≤ 9 months. This is the result of investigating incidents with certificates that were issued without the permission of the owners, and existing practices in the company.

The Google investigation lasted two months, from January to March 2017. The longer it lasted, the more questions arose to Symantec and revealed violations in the issuance of certificates. The story of 2015 has not yet been erased from memory, when Symantec voluntarily issued a certificate for the domains of Google, Opera and several other organizations.

Symantec then explained her actions as follows: “A small number of test certificates were incorrectly issued for internal use during testing. All of these test certificates and keys were under our control all the time and were immediately withdrawn when we learned about the problem. There was no impact on any domains and no danger to the Internet. ” Employees who violated the policies and allowed the incident were dismissed.
')
However, the audit revealed 187 certificates for existing domains issued without the knowledge of the owners, and 2,458 certificates for non-existing domains.

After that incident, it became clear that Symantec security was bad. Google has demanded that it carry out a number of measures, including support for all new certificates of the Certificate Transparency framework, conduct an additional audit, publish an incident report, and engage independent auditors.

A little more than a year has passed since the last incident - and now Google has returned to the offending Symantec certification authority to verify its compliance with the Root Certificate Policy in Chrome browser.

From the very beginning, it became clear that the company's business had not improved much. At the beginning of the investigation, an initial set of 127 certificates was considered, but in the light of the violations revealed, it was expanded to 30,000 pieces issued over several years.

The results of the investigation Google formulated as follows: “We no longer have confidence in the rules and practice of issuing Symantec certificates over the past few years. To restore the confidence and security of our users, we propose the following steps:

• Reducing the recognized validity of newly issued Symantec certificates to nine months or less to minimize any impact on Google Chrome users from any further incorrect issues that may arise.
• A gradual rejection of trust, covering several issues of Google Chrome, all previously issued Symantec certificates, with the requirement of re-confirmation and replacement.
• Denial of recognition of EV (Extended Validation) status for certificates issued by Symantec until the community is confident in the rules and practices of Symantec, but no earlier than after 1 year. ”

The gradual reduction of the recognized period of validity of newly issued Symantec certificates is proposed to be implemented as follows:

• Chrome 59 (Dev, Beta, Stable): 33 months (1023 days)
• Chrome 60 (Dev, Beta, Stable): 27 months (837 days)
• Chrome 61 (Dev, Beta, Stable): 21 months (651 days)
• Chrome 62 (Dev, Beta, Stable): 15 months (465 days)
• Chrome 63 (Dev, Beta): 9 months (279 days)
• Chrome 63 (Stable): 15 months (465 days) - this version goes on Christmas break, when many companies have a weekend
• Chrome 64 (Dev, Beta, Stable): 9 months (279 days)

According to Google, the measures listed "will ensure that the level of guarantees for Symantec certificates meets the expectations of Google Chrome and the ecosystem, and that risks from past and possible future violations are minimized as much as possible."

You need to understand that Symantec is one of the largest certification authorities on the Internet. So, in January 2015, more than 30% of all certificates on the Network were issued by these centers. True, since then there have been significant changes. Now the leader is Comodo from 42.7%, and the share of Symantec fell to 15.4% .

References:
Symantec Root Certificates