December 15, 2015 By Larry Loeb 2 min read

Earlier this month, Symantec announced that it will stop using the VeriSign G1 root certificate (Class 3 Public Primary CA) it had previously been using to issue public code signing and TLS/SSL certificates. In response, Google said it would not recognize the newly unsupported certificate in Chrome, Android and other products.

The underlying problem had been ongoing since October, when Google’s engineers found 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered by Symantec. Google was directly affected by this. Symantec argued that the certificates were only used for testing purposes and that they posed no risk to users.

At the time, Google wanted Symantec to show adherence to WebTrust Principles and Criteria for Certification Authorities, as well as undergo a security audit. While it announced it would not use the G1 certificate for public use, Symantec said it would still use it for other purposes. Evidently, Google thought this wasn’t such a good idea.

As Google engineer Ryan Sleevi put it on the Web giant’s security blog, “As this root certificate will no longer adhere to the CA/Browser Forum’s Baseline Requirements, Google is no longer able to ensure that the root certificate, or certificates issued from this root certificate, will not be used to intercept, disrupt or impersonate the secure communication of Google’s products or users.”

Essentially, it seems Google is saying Symantec requested this browser change in the trustworthiness of its certificates. This seems to be the course Symantec would request if it won’t be using that certificate for public-facing purposes.

Symantec has indicated to Google that it does not believe its customers, who are the operators of secure websites, will be affected by this removal. Furthermore, Symantec has also indicated that, to the best of its knowledge, it does not believe customers who attempt to access sites secured with Symantec certificates will be affected by this.

However, an untrusted certificate used by a site would render users unable to perform secure downloads using the HTTPS protocol when the browsers that reject it are employed. The browsers also wouldn’t be able to identify the site as being legitimate. Unless the certificates previously supplied by Symantec are replaced by newer certificates that the browsers will accept as valid, it seems there will be an issue.

How other browsers will treat Symantec’s certificates remains to be seen. Given the revocation of trust, however, others may follow Google’s lead.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today