Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates.

Security researchers have long suspected that the CAs play fast an loose with our trust, taking shortcuts or even allowing governments or crime syndicates to suborn their cooperation in breaking online security. Certificate Transparency uses an append-only, distributed ledger (like the blockchain, but based on a much more efficient mathematics, based on something called Merkle Trees) that Chrome users automatically contribute to by sending in anonymized evidence of the certificates they see in the wild, and which authorities issued those certificates. In this way, sloppy or malicious CAs can be rapidly and undeniably identified and, in theory, removed from the list of authorities that browsers trust by default.

The first casualty of this regime isn't an obscure Chinese CA doing spy work for the Politburo: it's Symantec, one of the largest security firms in the world, who have been declared to be too untrustworthy to be included in browsers' list of trusted parties, thanks to repeated sloppiness that poses a grave danger to us all.

Google has announced that effective immediately, Symantic-issued certificates will not be treated as having "extended validation" (this is the highest level of trust a browser can place in a certificate, based on the belief that the issuer conducted a detailed investigation to make sure it wasn't dealing with an impostor before issuing the cert).

But that's just for starters. From now on, Chrome will gradually reduce its trust in Symantec certs, over the coming years. That's big news, because Symantec issues more than 30% of the web's certs, and these are the most popularly relied-upon certs by web-users, constituting 42% of the certs that a Firefox user will encounter in a typical browsing session.

Google says it caught Symantec issuing more than 30,000 "improper" certificates.

Symantec's one-paragraph response appears to simply reject the possibility that it is about to lose tens of millions of dollars in revenue, forever, ending with "Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time." Translation: "We are too big to fail."

A reminder: you can get as many free certificates as you need, instantly and automatically, using the nonprofit Let's Encrypt Certificate Authority jointly operated by a number of groups including the Electronic Frontier Foundation and Mozilla.

Thursday's announcement is only the latest development in Google's 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.

In January, an independent security researcher unearthed evidence that Symantec improperly issued 108 new certificates. Thursday's announcement came after Google's investigation revealed that over a span of years, Symantec CAs have improperly issued more than 30,000 certificates. Such mis-issued certificates represent a potentially critical threat to virtually the entire Internet population because they make it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers. They are a major violation of the so-called baseline requirements that major browser makers impose of CAs as a condition of being trusted by major browsers.

Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates [Ryan Sleevi/Chromium.org]

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [Dan Goodin/Ars Technica]

Notable Replies

  1. Kimmo says:

    Eat shit, Symantec :smile:

  2. Symantec's fine products gave me nothing but headaches at my last job, deleting (sometimes randomly) software tools that I needed which were not officially approved by corporate. Unless you are a big corporation, Symantec seems to have no interest in fixing such issues.

    I got a laugh one day when I noticed that it was repeatedly quarantining one of its own files.

    They deserve it.

  3. Citation?

    ETA: according to the Ryan Sleevi post linked above:

    an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.

    So, while you may have been right that the initial problem was 127 certificates which were quickly fixed, it looks like the problem is much bigger.

    And, forgive me, but without an accompanying citation, I'm going to trust Ars and Google's tech team more than I trust a random online commenter.

  4. That is...distinctly...not what Team Chrome is saying.

    See: the outline

    The initial problem report was reported publicly, through Mozilla's dev.security.policy mailing list, at https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/yvjS5leYCAAJ

    In the course of understanding these issues, representatives of Mozilla and Google both addressed follow-up questions to Symantec, as did broader members of the community and peers of the Mozilla Root CA Certificate module.

    Symantec's replies are (generally) available at https://bugzilla.mozilla.org/show_bug.cgi?id=1334377 and share further details.

    These entities are CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.. Each of these entities were authorized by Symantec to perform validation services for information within the certificate, including organizational information and domain names. This process is permitted by the Baseline Requirements, but requires both that the CA accept liability for any issues that emerge through such a relationship, and that the CA ensure these entities are appropriately audited to the equivalent criteria for the validation roles that they perform, so that all certificates issued meet a consistent level of quality.

    As demonstrated through the information provided, these four entities did not follow the appropriate practices or did not possess the appropriate and necessary audits from the appropriate parties. Symantec has acknowledged they were actively aware of this for at least one party, failed to disclose this to root programs, and did not sever the relationship with this party.

    In effect, each of these parties were able to effect issuance by validating information improperly. At least 30,000 certificates were issued by these parties, with no independent way to assess the compliance of these parties to the expected standards. Further, these certificates cannot be technically identified or distinguished from certificates where Symantec performed the validation role. As a consequence, the insufficient demonstration of compliance, along with the inability to distinguish such certificates, combined with the incomplete identification of the scope of the issues, create a degree of uncertainty related to the entire corpus of certificates, for which the only meaningful way to restore that confidence is to propose a gradual distrusting of the existing certificates, so that all new certificates are fully validated according to the appropriate standards.

    "Further, these certificates cannot be technically identified or distinguished from certificates where Symantec performed the validation role." is particularly troubling.

    Not only did they have 4 distinct, and troubled in their own ways, affiliates running around and screwing things up, their systems were set up such that certs 'validated' by the affiliates are not visibly different from Symantec-validated ones; meaning that several different, and distinctly uneven, levels of practice are invisibly conflated under a single brand.

    They also had the 'rogue engineers' episode back in 2015, which they 'fixed' by firing some people; and then learned was bigger and nastier than originally revealed when Google turned the screws and made them look harder; but this latest episode is apparently a new chapter in the saga.

    Symantec is lucky that just purging them with fire and sword would basically break the internet; because they sure aren't doing much to deserve their existence at this point(particularly as a CA, though most of their other products are incidentally shit as well).

  5. As a matter of courtesy, just saying so up front would be much appreciated. Symantec is certainly entitled to respond, and as far as I know BBS has no rules against representatives posting; but mentioning that your post sounds an awful lot like the official statement because you are coming by to deliver it, rather than just passing over the fact without comment, is strongly in your favor when it comes to perceived candor and sincerity.

Continue the discussion bbs.boingboing.net

44 more replies

Participants