Google Makes Move To Invalidate Symantec SSL Certificates
In an article posted on Arstechnica.com it was announced that Google is making it so the Chrome browser will no longer offer trusted green bar assurance for Symantec SSLs. Based on the information that the article provided (edited version below), it's clear that Google is attempting to punish the company for not providing oversite for their employees who issued “test” certificates for domains even if the people getting them did not own the domain.
Symantec reportedly fired a lot of the people in their company that were involved, however, Google doesn't seem to be satisfied with that and is looking to essentially downgrade anyone's SSL that was issued by the company.
This is forcing a lot of the SSL issuers to provide new SSL certificates in order to keep websites up and running with the proper certificates.
Personally, I think this will affect the customers who purchased the SSL's more than anyone else.
They, Google, is taking steps that will find SSL owners having to pay for the expensive SSL replacement if their issuing company does not provide replacements.
NameCheap, for example, is offering a free Comodo replacement SSL for the duration of their Symantec SSL certificate.
However, they seem to be the only issuer that we have received an email from that is taking that type of action.
In the end, as website owners, we are caught in the middle of schoolyard fight between two big corporations that seem to have an agenda outside of “taking care of the security of the net and it's users.”
Only time will tell how this plays out.
But if you are using a Symantec SSL, you may want to reach out to your SSL issuer and get a replacement today.
Originally Posted On Arstechnica.com
In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.
Thursday's announcement is only the latest development in Google's 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.
In a blog post published Friday morning, Symantec officials once again criticized the Google post. The officials also disputed the 30,000 certificate figure.
“Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” they wrote. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates—not 30,000—were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program.”
In an e-mail, Google officials wrote: “We appreciate Symantec's response. This remains an ongoing discussion, and we look forward to continuing our conversations with Symantec about this issue. We want to enable an open and transparent assessment of the compatibility and interoperability risks, relative to potential security threats to our users.”
October 24, 2017