March 28, 2017 By Larry Loeb 2 min read

The two-year-old feud between Google and Symantec over SSL certificate issuance has finally boiled over: Google’s Chrome browser will no longer recognize certificates issued by Symantec.

Symantec has a portfolio of certificates under its control that were issued by various pioneer certificate authorities (CAs), which the company bought out. These are widely used because they were issued in the early days of certificates.

Google and Symantec Spar Over SSL Certificate Issuance

Google’s Ryan Sleevi explained on a Google forum that Chrome is going to stop accepting Symantec certificates, which account for about one-third of all web certificates, for more than nine months. Google is taking this “nontrivial” action because Symantec allowed multiple parties to access its infrastructure and issue certificates, then failed to oversee these capabilities according to requirements and failed to disclose the information promptly.

Google plans to put strict limits on how many days the Chrome browser will accept a Symantec-issued certificate before it is considered expired. Eventually, all Symantec certificates will expire on the browser after a maximum of 279 days. Since Chrome has such a large market share, this will cause a definite disruption.

Too Big to Fail?

CSO Online considered whether browser vendors could really take drastic sanctions against the world’s largest CAs, or whether those authorities are simply too big to fail. Google’s actions are unprecedented. Additionally, Symantec argued that it was unfairly singled out, since “the mis-issuance event identified in Google’s blog post involved several CAs.”

But security researcher Chris Byrne took Google’s statements as an impetus to disclose major problems in Symantec’s third-party application program interfaces (APIs) for certificates. On Facebook, he wrote that Symantec’s third-party certificate delivery API enabled outside actors to access certificates and private keys without proper authentication.

Byrne told CSO Online in another article that once the link generated by the API was clicked, he was never asked for verification or authentication. He first noticed this behavior in 2015 and attempted to get Symantec to resolve it by responsibly disclosing the problem.

While this may not be a direct cause of Google’s action, it points out other problems that may exist with these certificates.


UPDATE, 3/29/17, 1 p.m. ET: A Symantec spokesperson has contacted Security Intelligence with the following statement:

“We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community. Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.”

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today