Google Chrome holds a global browser market share of 58.53 percent. With nearly two out of three Internet users on the world’s most popular browser, Google has long been in a position to punish websites for non-compliance with its security regulations. But what happens when a trusted name in security drops the ball, like Symantec did?
The team behind Google Chrome recently decided that Internet security firm Symantec had crossed the line once too often on following security protocols, and has decided to take punitive action in the form of mistrusting its security certificates, or SSL certificates.
The decision to take action was not lightly made by the Google Chrome team. Symantec allegedly issued 30,000 Extended Validation (EV) certificates improperly over several years, potentially putting Internet users at risk.
Ryan Sleevi of the Google Chrome team said on an online forum Thursday that the Google Chrome browser would no longer recognize the EV status of certificates issued by the Symantec Certificate Authority (CA) for at least a period of one year, or until the security company “fixes” the process through which it issues security certificates.
In the forum post, Sleevi said:
“This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
Clearly, the problem has been an ongoing one, but there are implications that go beyond mere punitive action by Google Chrome against Symantec. The credibility of these certificates are now under a shadow, which compromises the entire TLS system that is the standard for authenticating and securing data and connecting to a domain over the Internet.
But the problem doesn’t end there. It extends to user safety on the Internet. From a user perspective, Google Chrome has been showing these domains as being secure, based on the simple fact that they’ve been issued a certificate from a well-known CA.
Security standards on the Internet are based on trust, and involve multiple parties working together to provide a seamless and secure experience for the end user. When compromised, it is the end user who suffers.
At least as far as these 30,000 domains with questionable EV certificates are concerned, their users will now not know whether the HTTPS in the URL actually means anything. The issue now is not about these 30,000 certificates alone. Any site that claims to be secure because it has the right set of certificates is now suspect, because Symantec is not the only CA identified by Google Chrome that has been involved in this alleged mis-issuance of security certificates.
In a nutshell, that basic trust on which the entire system is reliant has allegedly been broken, as a result of which the Google Chrome team has proposed the following punitive actions:
First, on Google Chrome, domains that have EV certificates issued by Symantec will see their certificates being downgraded. That means the Chrome browser will no longer display the name of the domain name holder in the address bar, and this will be in effect for at least a period of one year.
All certificates issues henceforth cannot have a validity period greater than nine months for them to be trusted by the Chrome browser, and this will come into effect starting with Google Chrome 61. The current Google Chrome version being rolled out to the public is Chrome 57.
The Google Chrome team has also proposed that it will keep reducing the upper limit for the validity period of all certificates issued by Symantec over the next several Google Chrome versions.
Of course, Symantec had its say in the matter as well. Calling Google’s claim of Symantec mis-issuing 30,000 SSL certificates as “exaggerated and misleading,” the company declared:
“We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible.
“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.”
It’s not clear what Symantec will do other than “strongly object” to the immediate and proposed actions by the Google Chrome team. No further statement has come from Alphabet, Google’s parent company, in this regard.
Thanks for reading our work! Please bookmark 1redDrop.com to keep tabs on the hottest, most happening tech and business news from around the world. On Apple News, please favorite the 1redDrop channel to get us in your news feed.