Google is going to stop trusting all of Symantec’s existing certificates in Chrome.
Symantec and some subsidiaries and WebTrust audited partners ended up caught by Google and others for wrongly issuing certificates. Almost two years ago Google told Symantec it had to increase its capabilities after a subsidiary certificate authority (CA) issued unauthorized google.com certificates.
But lately, Symantec’s GeoTrust and Thawte incorrectly issued over 100 certificates, including for domains such as test.com and example.com.
According to Google software engineer Ryan Sleevi, an investigation found Symantec’s partners mis-issued at least 30,000 certificates in the past years. These certificates were issued by four organizations: CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.
Symantec authorized these companies to perform validation for certificate information, but failed to properly audit them, and according to the Baseline Requirements, Symantec remains liable for any issues. In addition, there is no way to distinguish certificates validated by Symantec from certificates validated by the company’s partners, Sleevi said in a blog post.
“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” Sleevi said. “The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”
Because of all the issues, Google wants to remove the recognition of Extended Validation status for certificates issued by the company, and reduce the accepted validity period for newly issued certificates to nine months or less. Under the current proposal, all existing certificates will gradually become untrusted.