March 28, 2017 By Larry Loeb 2 min read

The two-year-old feud between Google and Symantec over SSL certificate issuance has finally boiled over: Google’s Chrome browser will no longer recognize certificates issued by Symantec.

Symantec has a portfolio of certificates under its control that were issued by various pioneer certificate authorities (CAs), which the company bought out. These are widely used because they were issued in the early days of certificates.

Google and Symantec Spar Over SSL Certificate Issuance

Google’s Ryan Sleevi explained on a Google forum that Chrome is going to stop accepting Symantec certificates, which account for about one-third of all web certificates, for more than nine months. Google is taking this “nontrivial” action because Symantec allowed multiple parties to access its infrastructure and issue certificates, then failed to oversee these capabilities according to requirements and failed to disclose the information promptly.

Google plans to put strict limits on how many days the Chrome browser will accept a Symantec-issued certificate before it is considered expired. Eventually, all Symantec certificates will expire on the browser after a maximum of 279 days. Since Chrome has such a large market share, this will cause a definite disruption.

Too Big to Fail?

CSO Online considered whether browser vendors could really take drastic sanctions against the world’s largest CAs, or whether those authorities are simply too big to fail. Google’s actions are unprecedented. Additionally, Symantec argued that it was unfairly singled out, since “the mis-issuance event identified in Google’s blog post involved several CAs.”

But security researcher Chris Byrne took Google’s statements as an impetus to disclose major problems in Symantec’s third-party application program interfaces (APIs) for certificates. On Facebook, he wrote that Symantec’s third-party certificate delivery API enabled outside actors to access certificates and private keys without proper authentication.

Byrne told CSO Online in another article that once the link generated by the API was clicked, he was never asked for verification or authentication. He first noticed this behavior in 2015 and attempted to get Symantec to resolve it by responsibly disclosing the problem.

While this may not be a direct cause of Google’s action, it points out other problems that may exist with these certificates.


UPDATE, 3/29/17, 1 p.m. ET: A Symantec spokesperson has contacted Security Intelligence with the following statement:

“We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community. Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.”

More from

How AI can be hacked with prompt injection: NIST report

3 min read - The National Institute of Standards and Technology (NIST) closely observes the AI lifecycle, and for good reason. As AI proliferates, so does the discovery and exploitation of AI cybersecurity vulnerabilities. Prompt injection is one such vulnerability that specifically attacks generative AI.In Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, NIST defines various adversarial machine learning (AML) tactics and cyberattacks, like prompt injection, and advises users on how to mitigate and manage them. AML tactics extract information about…

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today