The two-year-old feud between Google and Symantec over SSL certificate issuance has finally boiled over: Google’s Chrome browser will no longer recognize certificates issued by Symantec.
Symantec has a portfolio of certificates under its control that were issued by various pioneer certificate authorities (CAs), which the company bought out. These are widely used because they were issued in the early days of certificates.
Google and Symantec Spar Over SSL Certificate Issuance
Google’s Ryan Sleevi explained on a Google forum that Chrome is going to stop accepting Symantec certificates, which account for about one-third of all web certificates, for more than nine months. Google is taking this “nontrivial” action because Symantec allowed multiple parties to access its infrastructure and issue certificates, then failed to oversee these capabilities according to requirements and failed to disclose the information promptly.
Google plans to put strict limits on how many days the Chrome browser will accept a Symantec-issued certificate before it is considered expired. Eventually, all Symantec certificates will expire on the browser after a maximum of 279 days. Since Chrome has such a large market share, this will cause a definite disruption.
Too Big to Fail?
CSO Online considered whether browser vendors could really take drastic sanctions against the world’s largest CAs, or whether those authorities are simply too big to fail. Google’s actions are unprecedented. Additionally, Symantec argued that it was unfairly singled out, since “the mis-issuance event identified in Google’s blog post involved several CAs.”
But security researcher Chris Byrne took Google’s statements as an impetus to disclose major problems in Symantec’s third-party application program interfaces (APIs) for certificates. On Facebook, he wrote that Symantec’s third-party certificate delivery API enabled outside actors to access certificates and private keys without proper authentication.
Byrne told CSO Online in another article that once the link generated by the API was clicked, he was never asked for verification or authentication. He first noticed this behavior in 2015 and attempted to get Symantec to resolve it by responsibly disclosing the problem.
While this may not be a direct cause of Google’s action, it points out other problems that may exist with these certificates.
UPDATE, 3/29/17, 1 p.m. ET: A Symantec spokesperson has contacted Security Intelligence with the following statement:
“We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community. Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.”