Google Chrome engineers announced plans today to gradually remove trust in old Symantec SSL certificates and intent to reduce the accepted validity period of newly issued Symantec certificates, following repeated slip-ups on the part of Symantec.
Google's decision comes after the conclusion of an investigation that started on January 19, and which unearthed several problems with Symantec's certificate issuance process.
Engineers said they initially analyzed 127 events of certificate misissuance, but after digging deeper in Symantec's logs they discovered "at least 30,000 certificates, issued over a period spanning several years."
Investigators also point out that Symantec has failed to ensure proper domain validation, meaning they took to few steps to verify the identity of the person requesting an SSL certificate for a specific domain.
Furthermore, Google says Symantec's staff failed to audit their own logs for evidence of past unauthorized issuance, nor did they attempt to fix this flawed process by introducing better procedures.
The results of this investigation, along with the 2015 incident, was more than Google was willing to accept.
These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared. [...] On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users.
As such, despite Symantec's dominant position on the SSL certificates market, Google plans to reduce the trust its Chrome browser puts into Symantec certs.
For starters, starting Chrome 61, Google plans to limit the accepted validity period of newly-issued Symantec SSL certs to nine months.
In layman's terms, this means that if a website owner acquires a new Symantec SSL certificate, Chrome will only recognize it as valid for only nine months, regardless if other browsers will trust it for three, four, or more years.
Furthermore, currently-issued Symantec SSL certificates will have their trust gradually reduced in future Chrome versions, as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
This move from Google will force all owners of older Symantec certificates to request a new one. Google hopes that by that point, Symantec would have revamped its infrastructure and will be following the rules agreed upon by all the other CAs and browser makers.
"By combining these two steps, we can ensure that the level of assurance in Symantec-issued certificates is able to match what is expected by Google Chrome and the ecosystem, and that the risks posed both from past and possible future misissuance is minimized as much as possible," Google noted.
Last but not least, Google also plans to strip Symantec certificates of Extended Validation (EV) status "effective immeditealy," for at least one year, "until Symantec is able to demonstrate the level of sustained compliance necessary to grant such trust."
EV HTTPS certificates support multiple domain names and obtaining such a certificate requires passing through numerous steps. Based on its investigation, Google does not trust Symantec to comply with this longwinded verification process anymore.
Google also said it informed other browser makers such as Apple, Microsoft, and Mozilla about its plans, but none have responded with their own decisions as of yet.
According to Mozilla data, Symantec accounts for 42% of certificate validations on the market. Symantec has also acquired other CAs, which are now part of its root certificates. The list includes brands such as VeriSign, GeoTrust, Equifax, Thawte, TrustCenter, and others.
Symantec has not responded to a request for comment from Bleeping Computer in time for this article's publication. The company recently took steps to improve its domain validation procedures.
UPDATE: Symantec has responded via a blog post. The company calls Google's claim that it mis-issued 30,000 SSL certificates as "exaggerated and misleading."
In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. [...] While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.