Wednesday, 13 September 2017

Google details plan to distrust Symantec Digital Certificates

After a series of incidents involving Symantec and its wrongfully issued certificates, Google eventually decided to distrust Symantec’s certificates in March. The company is now releasing a more detailed plan for how that process will go.

The plan was first discussed on the Blink (Chrome’s rendering engine) development mailing list with the community, and it started taking shape by the end of July of this year.

On January 19, after the incidents between Symantec and Google, a public posting to the newsgroup drew attention to some questionable website certificates issued by Symantec that did not comply with the CA/Browser Forum Baseline Requirements. Symantec’s Corporate Public Key Infrastructure (PKI) operates a series of certificate authorities under the brand names Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.

In the follow-up investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight. Google also claimed that Symantec had been aware of the security deficiencies of these organizations for some time, but took little or no action to fix them.

This was just one more of the several incidents that made the Chrome engineers lose trust in Symantec’s certificate infrastructure and all the certificates that could be issued by it. After Google announced its plan to distrust Symantec’s certificates, Symantec decided to sell its certificate business to DigiCert, a competitor, which would also have to rebuild the Symantec infrastructure to be more trustworthy.