March 28, 2017 By Larry Loeb 2 min read

The two-year-old feud between Google and Symantec over SSL certificate issuance has finally boiled over: Google’s Chrome browser will no longer recognize certificates issued by Symantec.

Symantec has a portfolio of certificates under its control that were issued by various pioneer certificate authorities (CAs), which the company bought out. These are widely used because they were issued in the early days of certificates.

Google and Symantec Spar Over SSL Certificate Issuance

Google’s Ryan Sleevi explained on a Google forum that Chrome is going to stop accepting Symantec certificates, which account for about one-third of all web certificates, for more than nine months. Google is taking this “nontrivial” action because Symantec allowed multiple parties to access its infrastructure and issue certificates, then failed to oversee these capabilities according to requirements and failed to disclose the information promptly.

Google plans to put strict limits on how many days the Chrome browser will accept a Symantec-issued certificate before it is considered expired. Eventually, all Symantec certificates will expire on the browser after a maximum of 279 days. Since Chrome has such a large market share, this will cause a definite disruption.

Too Big to Fail?

CSO Online considered whether browser vendors could really take drastic sanctions against the world’s largest CAs, or whether those authorities are simply too big to fail. Google’s actions are unprecedented. Additionally, Symantec argued that it was unfairly singled out, since “the mis-issuance event identified in Google’s blog post involved several CAs.”

But security researcher Chris Byrne took Google’s statements as an impetus to disclose major problems in Symantec’s third-party application program interfaces (APIs) for certificates. On Facebook, he wrote that Symantec’s third-party certificate delivery API enabled outside actors to access certificates and private keys without proper authentication.

Byrne told CSO Online in another article that once the link generated by the API was clicked, he was never asked for verification or authentication. He first noticed this behavior in 2015 and attempted to get Symantec to resolve it by responsibly disclosing the problem.

While this may not be a direct cause of Google’s action, it points out other problems that may exist with these certificates.


UPDATE, 3/29/17, 1 p.m. ET: A Symantec spokesperson has contacted Security Intelligence with the following statement:

“We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community. Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.”

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today