Google Plans to Reduce Trust in Symantec's TLS Certificates Due to 'Continual Misissuance'

Share on Facebook Tweet Snapchat Share Reddit Comment
Google Plans to Reduce Trust in Symantec's TLS Certificates Due to 'Continual Misissuance'
Highlights
  • Google to reduces trust in Symantec certificates
  • This is due to failure in properly validating certificates
  • Symantec says the claims are 'exaggerated'

Google's Chrome team is unhappy with the loose way in which Symantec issues transport layer security (TLS) certificates, and is considering incremental distrust Symantec TLS certificates moving forward. This planned step was announced by Google due to "a continually increasing scope of misissuance" from Symantec. It plans to reduce the trust on the biggest issuers of security certificates gradually, as well as revoke recognition of their extended versions for a year.

Ravi Sleevi, a software engineer on the Google Chrome team, wrote on the Blink online forum that the Chrome developers "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years."

Sleevi has proposed a reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less. Furthermore, he also proposes the removal of recognition of the Extended Validation status of all certificates issued by Symantec for at least a year. This will put the company into a lot of pressure, as its customers will then demand a refund. Lastly, Sleevi also proposed "incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced."

Taking into account the last 30,000 certificates issued by Symantec since January 19, Google claims that the security firm hasn't done enough to verify the site, and ensure that the certificates are issued correctly. "Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs," Sleevi explains in the forum further claiming that Symantec has failed to follow these principles.

Symantec, on the other hand, strongly opposes these accusations and calls them "exaggerated and misleading", as per a BBC report. The company claimed that out of the 30,000, only 127 were identified as wrongly issued, and that it feels that Google has 'singled it out' over the other certificate issuers that are also at fault. "We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners," Symantec told BBC in a statement.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Tasneem Akolawala Tasneem Akolawala is a Senior Reporter for Gadgets 360. Her reporting expertise encompasses smartphones, wearables, apps, social media, and the overall tech industry. She reports out of Mumbai, and also writes about the ups and downs in the Indian telecom sector. Tasneem can be reached on Twitter at @MuteRiot, and leads, tips, and releases can be sent to tasneema@ndtv.com. More
Microsoft OneDrive Gets Bug Fixes on iOS and Linux

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com