Google is taking disciplinary steps against Symantec certificate issuance failures. According to Google, the Google chrome Team has been investigating a series of mishaps by Symantec. They, Google claims, were expediting this crucial process unsatisfactorily. Google is therefore planning to distrust Secure Socket Layer and Transport Layer security certificates issued by Symantec inside Google Chrome. SSL and TSL certificates are useful as it gives a connection between the host and a web browser a particular level of trust and safeguards any sensitive data against phishing.
This is not the first time Google has been wary of the way Symantec issues their certificates. In October 2015, they publically chastised Symantec for being sloppy and not taking certificate issuance seriously as mandated. What prompted Google to widen the scope of their investigation is how they reacted to every set of questions on the criteria used to issue these SSL and TSL security. Sleevi, a software engineer with Google’s investigating team noted that initial investigations begun with about 130 certificates which Google suspected were mis-issued. Their scope has since been expanded to about 30000 certificates spanning over five years.
It is for this reason that Google is planning to reduce the validity period of Symantec issued certificates to nine months or less and ceasing to recognize their Extended Validation certificates. Google will also increase their surveillance of Symantec issued certificates. Under their “incremental distrust” re-evaluation or replacement of existing certificates is necessary. In reality, this move is garnering support from security experts. They insist that the issuance of SSL and TSL certificates is purely based on privacy and trust. To them, Google is being considerate of Symantec and the move is not draconian, as Symantec views it.
The company, in their defense, says Google allegations were feckless, misleading and over emphasized. They also claim they were not the only Certificate Authority with certificate mis-issuance problems and Google appears to be targetting them unfairly.
Many businesses employ certificates in their day to day operations. Most of these enterprises are big corporations like major banks and retailers who are heavy investors in web security. Google’s distrust of Symantec’s certificates is implicative of these enterprises as they rely on them for web connection integrity. Often, these businesses are not agile when it comes to certificate changing. It will be challenging and will take their time to identify, vet and buy new certificates from certified providers. Corporate and goverment entities, for example, widely use Extended Validation certificates for conveying the highest level of trust. As a result, this security step will definitely invalidate some of their sites using certificates.