Google is fighting with Symantec over encrypting the internet
#Google, which has accused #Symantec and its partners of misissuing tens of thousands of certificates for encrypted web connections, quietly announced Thursday that it’s downgrading the level and length of trust Chrome will place in certificates issued by Symantec. Encrypted web connections — HTTPS connections like those on banking sites, login pages or news sites like this one — are enabled by Certificate Authorities, which verify the identity of the website owner and issue them a certificate authenticating that they are who they say they are. Think of a Certificate Authority like a passport agency and the certificates they issue like passports. Without the CA’s authentication of a website owner’s identity, users can’t trust that the site on the other end of their HTTPS connection is really their bank. Symantec is a giant in the world of CAs — its certificates vouched for about 30 percent of the web in 2015. But Google claims that Symantec hasn’t been taking its responsibilities seriously and has issued at least 30,000 certificates without properly verifying the websites that received them. It’s a serious allegation that undermines the trust users can place in the encrypted web, and Google says it will begin the process of distrusting Symantec certificates in its Chrome browser. Symantec lashed out at Google’s claims, calling them “irresponsible” and “exaggerated and misleading.” “Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,” Google software engineer Ryan Sleevi wrote in a forum post outlining the case against Symantec. “This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.” To remedy the situation, Sleevi said that Chrome would reduce the length of time the browser trusts a Symantec-issued certificate and, over time, would require sites to replace old Symantec certificates with newer, trusted ones. Sleevi said that Symantec’s behavior failed to meet the baseline requirements for a Certificate Authority, creating what he called “significant risk for Google Chrome users.” He added: Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them. These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.