SecuritySecurity Management

Google And Symantec Clash Over Certificate ‘Failures’

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Search engine giant reduces trust level in Symantec-certificates, but security firm slams Google’s “misleading” claims

An extraordinary row has broken out between security firm Symantec and Google, after the former was hit with a hugely embarrassing vote of no confidence by the search engine giant.

It comes after Google engineers said the firm was being investigated for a “series of failures by Symantec Corporation to properly validate certificates.”

To this end, Google said it would gradually remove trust in old Symantec SSL certificates. And it intends to reduce the accepted validity period of newly issued Symantec certificates, as it “no longer have confidence in the certificate issuance policies and practices of Symantec.”Symantec

Google – No Confidence

Google’s damming assessment of Symantec’s certificates came in a blog posting from Google Chrome engineers.

“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates,” they blogged.

“Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of mis-issuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.”

“This is also coupled with a series of failures following the previous set of mis-issued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”

Engineers also allege that Symantec has failed to ensure proper domain validation, and that its staff failed to audit its own logs for evidence of past unauthorised issuance.

And Google alleges that Symantec did not attempt to fix this flawed process by introducing better procedures.

Therefore the Google engineers said they would reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less.

Google said it would also introduce an incremental distrust that would require all currently-trusted Symantec-issued certificates to be revalidated and replaced.

And Google said that it would remove recognition of the Extended Validation status of Symantec issued certificates, “until such a time as the community can be assured in the policies and practices of Symantec.”

google

Symantec Response – “Exaggerated and Misleading”

But Symantec has hit back at Google’s latest attack on its certificates.

It said that the claim that it had misissued 30,000 SSL certificates was “exaggerated and misleading,” and said that it backs its CA.

“At Symantec, we are proud to be one of the world’s leading certificate authorities,” Symantec told Silicon.

“We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser,” it said. “This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” it claimed. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm.”

“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs,.

“We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices.

“We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates,” it concluded. “Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.”

It finished by saying it was open to discussing the matter with Google in an effort to resolve the situation.

It should be noted that Symantec reportedly accounts for a sizeable chunk (42 percent) of certificate validations on the market. It also owns other CAs, most notably VeriSign, GeoTrust, Equifax, TrustCenter etc.

Previous Clashes

And this is not the first time that Google has clashed publicly with Symantec.

Last year for example researchers at Google’s Project Zero team uncovered what they said was a series of critical vulnerabilities in Symantec’s antivirus products that were “as bad as it gets”.

Google claimed at the time that Symantec had really “dropped the ball,” as the flaws were allegedly found in Symantec’s core engine which was shared across a range of Symantec and Norton security products.

This included Norton Security; Symantec Endpoint Protection; Symantec Email Security; Symantec Protection Engine; and Symantec Protection for SharePoint Servers.

Quiz: Do you know all about security in 2016?