Symantec Corporation has been failing to properly validate certificates. After continuously observing and investigating Symantec’s seemingly ineffective certificate issuance policies and practices over the past several years, Google Chrome has announced that it intends to distrust all currently-trusted Symantec-issued certificates. This drastically severe implication would now affect all websites with Symantec SSL certificates.
This is not the first time that Symantec has issued certificates without adhering to the necessary policies and practices. In 2015, Symantec’s Thawte-branded CA had issued an Extended Validation (EV) pre-certificate for “google.com” and “www.google.com” without any request or authorization from Google.
Later, Symantec disclosed that it had misissued 23 certificates. A further audit revealed that they had misissued 164 additional certificates over 76 domains, and had also misissued 2,458 certificates for unregistered domains. Considering these misissued vulnerabilities, Google had decided to insist that all Symantec certificates should support Certificate Transparency.
Symantec’s lackadaisical certificate issuance policies and practices along with “continually increasing scope of misissuance” had led to Google’s announcement to distrust ALL existing Symantec-issued Certificates.
Google Chrome’s proposal:
- A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
- An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
- Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.
Details provided by Symantec reveal that they did not perform the critical functions of a root certificate authority and also did not take adequate measures to prevent the issuance of fraudulent certificates.
Symantec had allowed access to its infrastructure that allowed other parties to issue certificates, who however did not follow the necessary secure policies and practices to issue certificates only to non-fraudulent entities. However, even after knowing about the misissued certificates Symantec did not proactively disclose and warn website operators or users about these fraudulent certificates. This poses a significant risk to all website visitors who had trusted Symantec so long. Symantec had also proposed remedial measures that were inadequate to restore trust and confidence in their SSL certificates.
While it is true that Symantec has been losing its market share to other CAs such as Comodo, this careless attitude in misissuing certs will affect all existing users and site operators using Symantec SSL certificates. Further, this would also affect certificates issued by their acquired CAs, such as Thawte, Verisign, and Equifax.
Mitigation Measures for Site Operators
Site operators will have to restore user trust in their website. They must switch over to a CA that atleast follows the Baseline Requirements of the CA/Browser Forum in issuing SSL certificates. Acquiring an SSL certificate is just not enough. Getting it from a CA who takes more than adequate security measures is what matters. Protect your website and your users with robust certificates.