Posted on 04/12/2017 at 08:00 AM
In late March, it was announced that Google would no longer recognize extended validation of any SSL certificates issued by Symantec. Symantec is one of the larger Certificate Authorities in operation today and is responsible for providing nearly 1/3 of all SSL certificates in use on the web.
This notice comes after Google asserted that Symantec had been acting irresponsibly, issuing over 30,000 SSL certificates without appropriately authenticating the websites that received them. Google software engineer, Ryan Sleevi, elaborated his concerns regarding Symantec via a forum post:
“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misused certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
Symantec has since struck back, claiming that Google is acting irresponsibly and making accusations which are “exaggerated and misleading.”
But Google’s disapproval of Symantec’s practices and policies have led them to display distrust toward Symantec certificates via their Chrome browser. For at least the next year, the Chrome browser will essentially relegate any Symantec certificates in use. This means that the security message which is normally displayed in Chrome’s address bar when a ‘secured’ website is accessed, will no longer be prompted for websites that are secured with a Symantec SSL certificate.
Though the immediate implications of operating under a Symantec SSL certificate are somewhat limited for now, it does sound likely that Google will take even larger steps to further distrust Symantec in the near future. The search giant may even have plans to make updates to the Chrome browser that will quash all currently valid certificates issued by Symantec-owned Certificate Authorities, a move that could prevent millions of Chrome users from being able to access a significant number of websites. While this “lock out” of sorts will be phased in over time, the potential impact this could have is far reaching.
If your website is using a Symantec-issued SSL, it is important to reinstate trust by replacing your certificate with one from a Certificate Authority provider that abides by Baseline Requirements of the CA/Browser Forum in issuing SSL certificates. While going with a completely different Certificate Authority provider is probably the best route, if that is not an option, it can be effective to replace an old Symantec certificate with a fresh one. Google believes this approach will keep web developers aware of potential security threats should misissuance continue into the future, but also give website administrators the option to carry on using these certificates if necessary.
If Global Reach managers your SSL certificate, then there is no need for concerns or action. We've already taken any necessary steps to reissue affected certificates. However, if you would like to add a new certificate to your website, or you have questions about why you should, we can still work with you. Contact Global Reach today, and we can help
Categories: Safety and Security