Google has released perhaps its strongest rebuke yet to Symantec over the latter’s CA business, claiming it will reduce trust in the security giant’s certificates in order to restore confidence to Chrome users.
In a lengthy post issued on Thursday, Google engineer Ryan Sleevi explained that an initial investigation into 127 mis-issued certificates subsequently turned up problems with 30,000 certificates, issued over several years.
This comes on top of a previous set of mis-issued certificates which led to the 2015 sacking of several Symantec employees.
Google has consequently resolved to: reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less; require the re-validation and replacement of all currently-trusted Symantec-issued certificates; and temporarily remove EV status for all Symantec-issued certs, for at least a year.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” argued Sleevi.
“These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.”
He went on to argue that Symantec had failed to provide timely updates to its customers as problems occurred.
“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” said Sleevi.
“The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”
Venafi chief cybersecurity strategist, Kevin Bocek, argued the case highlights once again how fragile the system of trust for the internet really is.
“This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS – quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this,” he added.
“Google is the 800-pound gorilla on this issue. It is likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies these questionable Symantec certificates because it turns on padlocks that let users know their transaction is secure.”