March 27, 2017

Google Chrome will not recognize Symantec’s EV certificates

Google says that Symantec-issued certificates are unable able to match the level of assurance expected by Google Chrome

As reported earlier this year, Symantec was forced to revoke faulty SSL certificates which were issued for example.com and a few variations of test.com. This time, Google Chrome engineers have announced that they will remove trust in old Symantec SSL certificates and reduce the accepted validity period of newly issued Symantec certificates, due to the repeated slip-ups on the part of Symantec.

Google says that its team had been investigating a series of failures by Symantec to properly validate certificates. Over the course of this investigation, Google said that the explanations provided by Symantec have revealed a continually increasing scope of wrongly issued certificates.

After the investigation, Google says that an initial set of 127 wrongly issued certificates has expanded to include at least 30,000 certificates, issued over several years. This evaluation is coupled with a series of failures following the previous set of wrongly issued certificates from Symantec which was reported by Google in October, 2015. All these slip-ups have caused Google to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.

Ryan Sleevi, a software engineer on the Google Chrome team said on Google’s online forum:

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements.

This will be accomplished by gradually decreasing the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum.

Ryan added that the Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again.

Share this articleShare on FacebookShare on Google+Tweet about this on Twitter