Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger — bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates.


Security researchers have long suspected that the CAs play fast an loose with our trust, taking shortcuts or even allowing governments or crime syndicates to suborn their cooperation in breaking online security. Certificate Transparency uses an append-only, distributed ledger (like the blockchain, but based on a much more efficient mathematics, based on something called Merkle Trees) that Chrome users automatically contribute to by sending in anonymized evidence of the certificates they see in the wild, and which authorities issued those certificates. In this way, sloppy or malicious CAs can be rapidly and undeniably identified and, in theory, removed from the list of authorities that browsers trust by default.


The first casualty of this regime isn't an obscure Chinese CA doing spy work for the Politburo: it's Symantec, one of the largest security firms in the world, who have been declared to be too untrustworthy to be included in browsers' list of trusted parties, thanks to repeated sloppiness that poses a grave danger to us all.


Google has announced that effective immediately, Symantic-issued certificates will not be treated as having "extended validation" (this is the highest level of trust a browser can place in a certificate, based on the belief that the issuer conducted a detailed investigation to make sure it wasn't dealing with an impostor before issuing the cert).

But that's just for starters. From now on, Chrome will gradually reduce its trust in Symantec certs, over the coming years. That's big news, because Symantec issues more than 30% of the web's certs, and these are the most popularly relied-upon certs by web-users, constituting 42% of the certs that a Firefox user will encounter in a typical browsing session.

Google says it caught Symantec issuing more than 30,000 "improper" certificates.

Symantec's one-paragraph response appears to simply reject the possibility that it is about to lose tens of millions of dollars in revenue, forever, ending with "Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time." Translation: "We are too big to fail."

A reminder: you can get as many free certificates as you need, instantly and automatically, using the nonprofit Let's Encrypt Certificate Authority jointly operated by a number of groups including the Electronic Frontier Foundation and Mozilla.

Thursday's announcement is only the latest development in Google's 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered google.com and www.google.com and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.

In January, an independent security researcher unearthed evidence that Symantec improperly issued 108 new certificates. Thursday's announcement came after Google's investigation revealed that over a span of years, Symantec CAs have improperly issued more than 30,000 certificates. Such mis-issued certificates represent a potentially critical threat to virtually the entire Internet population because they make it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers. They are a major violation of the so-called baseline requirements that major browser makers impose of CAs as a condition of being trusted by major browsers.

Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates
[Ryan Sleevi/Chromium.org]

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
[Dan Goodin/Ars Technica]