Symantec Tells Google to 'Distrust' Root Cert

Written by

Google has made a move to ‘distrust’ a Symantec root certificate after the security giant revealed it no longer complies with current security standards.

Software engineer, Ryan Sleevi, explained in a blog post that the cert in question is one of Symantec’s “Class 3 Public Primary CA” root certificates which currently works across Chrome, Android and Google products.

“We are taking this action in response to a notification by Symantec Corporation that, as of December 1, 2015, Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” he wrote.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”

Symantec claimed it is planning to use the certificate for purposes other than publicly trusted certificates.

But Google said that by failing to meet the baseline requirements for security and trustworthiness, there is no guarantee that it won’t be used to “intercept, disrupt, or impersonate the secure communication of Google’s products or users.”

“As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate,” said Sleevi.

For its part, Symantec maintains that this is the normal procedure for a legacy certificate, and that website owners shouldn’t be affected.

“Further, Symantec has also indicated that, to the best of their knowledge, they do not believe customers who attempt to access sites secured with Symantec certificates will be affected by this,” Sleevi added.

The news comes after a turbulent few months for the Mountain View neighbors.

Back in September Symantec was forced to sack several employees after subsidiary Thawte issued unauthorized certificates for several Google domains.

Things got worse a month later after it found over 160 rogue certificates had been issued without permission.

As a result, Google said it will require as of 1 June 2016 that all Symantec-issued certs support its Certificate Transparency standard for easier logging. If they don’t, it “may result in interstitials or other problems when used in Google products,” Sleevi warned.

Abuse of digital certificates and cryptographic keys is fast becoming a favorite strategy for cyber-criminals, according to Kaspersky Lab.

The security vendor claimed last week that the number of new malware files it found this year was down on 2014 volumes because cyber-criminals are changing tactics.

Photo © 360b

What’s hot on Infosecurity Magazine?