Google Rejects Symantec Certs
Posted by: Timothy Weaver on 03/27/2017 02:00 PM
[
Comments
]
Google no longer has faith in Symantec issued certificates.
In a statement from Ryan Sleevi, a staff software engineer at Google, the reason: "a continually increasing scope of misissuance."
"Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them," he explained. "This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs."
"Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi wrote.
"We no longer have the confidence necessary in order to grant Symantec-issued certificates the 'Extended Validation' status," Sleevi concluded.
Symantec certs comprise more than 30 percent of the internet's valid certificates. What that means is that Chrome users will no longer be able to access a vast range of sites.
Symantec issued this statement: "Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading," the statement read. "For example, Google's claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm."
Source: SCMagazine
In a statement from Ryan Sleevi, a staff software engineer at Google, the reason: "a continually increasing scope of misissuance.""Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them," he explained. "This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs."
"Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi wrote.
"We no longer have the confidence necessary in order to grant Symantec-issued certificates the 'Extended Validation' status," Sleevi concluded.
Symantec certs comprise more than 30 percent of the internet's valid certificates. What that means is that Chrome users will no longer be able to access a vast range of sites.
Symantec issued this statement: "Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading," the statement read. "For example, Google's claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm."
Source: SCMagazine
Comments
