30 March 2017
Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Hanno Böck.
Google has proposed taking very severe steps against Symantec due to violations of its responsibilities as a certificate authority. In January, it became known that Symantec had issued several certificates for domains that weren't requested by their owners. These certificates were created by the South Korean company Crosscert, to which Symantec had given access to its certificate issuance infrastructure.
Over the course of the investigation, it became clear that multiple companies had been given similar access to Symantec's infrastructure without sufficient oversight. Symantec knew about some of the problems and didn't come forward with that knowledge. All together, around 30,000 certificates have been issued by these companies.
Google now plans to phase out all currently valid Symantec certificates. Via several steps, the Chrome browser would distrust certificates with certain validity times. In the end, Symantec would only be allowed to issue certificates with a validity of nine months in the future. Also, Symantec would lose its ability to issue Extended Validation (EV) certificates. Although many people question the utility of EV-certificates, they’re a major source of income for certificate authorities due to their higher prices .
Symantec noted that it finds Google’s actions irresponsible. In an emailed statement, as reported by Ars Technica, Symantec wrote: “Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time.”
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.