Bulletproof TLS Newsletter #26
Google plans to distrust all current Symantec certificates
30 March 2017
Author: Hanno Böck

This issue was distributed to 35,392 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Google plans to distrust all current Symantec certificates
  2. Short news

Google plans to distrust all current Symantec certificates

Google has proposed taking very severe steps against Symantec due to violations of its responsibilities as a certificate authority. In January, it became known that Symantec had issued several certificates for domains that weren't requested by their owners. These certificates were created by the South Korean company Crosscert, to which Symantec had given access to its certificate issuance infrastructure.

Over the course of the investigation, it became clear that multiple companies had been given similar access to Symantec's infrastructure without sufficient oversight. Symantec knew about some of the problems and didn't come forward with that knowledge. All together, around 30,000 certificates have been issued by these companies.

Google now plans to phase out all currently valid Symantec certificates. Via several steps, the Chrome browser would distrust certificates with certain validity times. In the end, Symantec would only be allowed to issue certificates with a validity of nine months in the future. Also, Symantec would lose its ability to issue Extended Validation (EV) certificates. Although many people question the utility of EV-certificates, they’re a major source of income for certificate authorities due to their higher prices .

Symantec noted that it finds Google’s actions irresponsible. In an emailed statement, as reported by Ars Technica, Symantec wrote: “Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time.”


Short news