Symantec has put forward a series of proposals designed to resolve a long-running dispute with Google over trust in its certificate business, claiming the latter’s plans could have a significant negative impact on major customers.
After a January investigation Google uncovered problems with 30,000 Symantec-issued certificates and resolved to take several severe steps.
These included a motion to: reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less, require the re-validation and replacement of all currently-trusted Symantec-issued certificates and temporarily remove EV status for all Symantec-issued certs, for at least a year.
However, in a lengthy response yesterday, Symantec claimed that after consulting its customers, it believes such steps could have a major “compatibility and interoperability impact”, particularly on financial services, critical infrastructure, retail and healthcare firms.
It argued that many such firms have “complex, and potentially undocumented and little-known dependencies on their certificate infrastructure”, for example, embedded devices, mobile apps and critical infrastructure resources that are pinned to Symantec certs.
These dependencies could mean any migration off Symantec could take years, the security giant argued, before proposing a new solution.
This includes commissioning a backward-looking third-party audit of all active EV certificates, rather than have Google remove its EV status.
It also proposed commissioning a third-party audit of all certificates issued by an SSL/TLS Registration Authority (RA) partner.
In a bid to improve transparency, Symantec also proposed: a WebTrust audit for the period from December 1 2016 to May 31 2017, followed by quarterly audits thereafter, a quarterly update letter to the community on the progress of audits, working with the CA/B forum to recommend new/updated guidelines for customer exception requests to baseline requests and a bid to improve the timeliness of responses to the browser community and level of technical detail in them.
That’s not all. Symantec also claimed it would move to shorter validity certificates to reduce exposure, increase security and risk investments in its CA business and make other operational improvements.
"Because this is a big picture issue that impacts the entire ecosystem, we believe a collaborative process based on understanding the needs of all parties is required in order to work towards the shared goal of making the internet a safer place,” said Roxane Divol, general manager of Symantec Website Security.
“As such, our proposal outlines important measures that Symantec intends to implement as part of our continuous improvement efforts to provide increased transparency into our CA operations and enhance our processes. As we work to implement these measures, we remain committed to ensuring business continuity for our CA customers and complying with the requirements of the browser community, so that we can reach a solution that is in the best interests of all stakeholders.”
It remains to be seen whether this range of measures will be enough to placate Google. After all, the history of bad blood between the two goes back several years, when a series of mis-steps forced several Symantec bods from their jobs in 2015.
Symantec’s move was welcomed by Kevin Bocek, vice president of security strategy & threat intelligence at Venafi, who claimed the market would become increasingly volatile as security issues and vulnerabilities in the certificates system come to light.
“This is a critical time for business: the system of trust that provides identities for machines is becoming increasingly complex and businesses are unprepared to respond to change in an agile way. This should act as a wake-up call to all businesses that rely on encryption to protect their machine identities, as it isn’t something that is going away,” he told Infosecurity Magazine.
“Symantec’s shift to shorter lifetime certificates and use of threat intelligence should be applauded. However, the identity of machines and use of encryption is so important that it can’t be left to CAs alone, businesses must take action, responsibility, and gain agility. CAs have a responsibility to improve their processes but they are far from alone in carrying this burden.”