Google is considering a harsh punishment for repeated incidents in which Symantec or its certificate resellers improperly issued SSL certificates. A proposed plan is to force the company to replace all of its customers’ certificates and to stop recognizing the extended validation (EV) status of those that have it.
According to a Netcraft survey from 2015, Symantec is responsible for about one in every three SSL certificates used on the web, making it the largest commercial certificate issuer in the world. As a result of acquisitions over the years the company now controls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.
Google says that an investigation into a recent incident indicates that Symantec has not upheld security practices expected of certificate authorities, such as validating domain control, auditing logs for evidence of unauthorized issuance, and minimizing the ability for the issuance of fraudulent certificates.
If Google's plan is put into practice, millions of existing Symantec certificates will become untrusted over the next 12 months in Google Chrome. This will be a gradual process where every new Chrome release will distrust a new batch of certificates starting with Chrome 59, which will revoke trust in certificates that have a validity period of over 33 months.
This will put enormous pressure on Symantec, as the company will have to contact all customers, validate their identity and the ownership of their domains all over again, and replace their existing certificates with new ones, most likely at no cost.
Some companies will likely have problems replacing their certificates on such short notice, as they might be used in payment terminals and other hard-to-reach embedded devices.
In addition to that, Symantec might have to refund customers who paid for EV certificates that will no longer be recognized as such in Chrome, since their value would be significantly reduced. The ban on Symantec EV certificates will last for at least one year.
All replacement certificates issued by Symantec to customers will need to have a validity period of nine months or less in order to be trusted in Chrome. This is likely to cause further problems for some large companies, which won't be able to easily replace their certificates every nine months.
It's safe to say that Google's sanctions might have a significant impact on Symantec's SSL business, as the company is likely to lose customers who won't be willing to put up with these restrictions and will take their business to a different certificate authority (CA).
Browser vendors have punished CAs before for improperly issuing certificates -- or "misissuing" them, in industry parlance -- but never on this scale and with an impact so large on the ecosystem. Some people have always wondered if browser vendors can really take drastic sanctions against the world's largest CAs, or whether those authorities are simply too big to fail.
The reason for this unprecedented punishment seems to be repeated incidents of misissued certificates at Symantec that have come to light over the past few years, some of which the company failed to identify on its own despite internal and external audits. The latest case was uncovered this year and involved 127 certificates issued with bogus information or without proper domain ownership verification by a Symantec partner that operated as a registration authority (RA).
According to Google, that investigation calls into question the validity of at least 30,000 certificates issued by Symantec partners over a period spanning several years. However, Symantec disputes that number.
"Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Google's Ryan Sleevi said in a post on the Chrome development mailing list.
This and past incidents have led Google to "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," Sleevi said.
Symantec strongly objected to Google's plan and criticized its publication. It also described Google's remarks about the company's past misissuances as "exaggerated and misleading."
"This action was unexpected, and we believe the blog post was irresponsible," the company said in a blog post Friday. "We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates."
The claim about the 30,000 certficates is not true and the 127 certificates that have been confirmed as misissued did not result in any consumer harm, Symantec said, adding that the relationship with the partner responsible for the incident has been terminated and that its entire RA program has been discontinued.
"While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs," Symantec said.
The company will work to minimize any potential disruption caused by Google's proposal if it goes forward, but is open to discussing the matter with Google and finding a mutually agreed-on solution.
Meanwhile, Mozilla, which manages its own root certificate program, is also considering sanctions for Symantec and might have to align them with Google's.
"Now that Google have announced their action, it is unavoidable to note that it can be preferable for two root stores considering action against a CA to take broadly parallel approaches, so that the CA is not doubly penalised for the same actions," Mozilla's Gervase Markham wrote on the organization's security policy mailing list.
However, Markham noted that Google's plan is "at the strong end" of the options he was considering and that calibrating the level of response, which has to take into account previous precedents and sanctions against other CAs, is a difficult process.