Citing compliance failures, Chrome will distrust Symantec certificates

Two of the biggest names on the internet embarked on a game of chicken this week over the little green padlock in the address bar.

Browser behemoth Chrome, citing what it says are repeated failures by security giant Symantec to comply with the rules governing the issuance of internet security certificates, is threatening to stop fully trusting them. At stake is the user experience for millions of consumers who use the Google-backed browser to shop and bank online.

The security certificates are the basis for TLS, the encrypted connection between a website and a visiting computer that’s denoted by the padlock in the address bar. TLS — and the outdated SSL system it’s replacing — make it possible for users to send credit card details, social security numbers and other sensitive information safely and privately across the public internet.

If Chrome stopped recognizing Symantec certificates — which are behind about a third of the TLS-equipped sites on the internet — Chrome users visiting a website secured by one would get a warning message that the connection was not secure. Depending on how their security settings are set, the users might be blocked from visiting the site at all.

“This could be a big user-experience issue for Chrome,” said Craig Spiezle, ‎executive director and president of the Online Trust Alliance, an internet security non-profit.

A Symantec statement said the company was blindsided by Chrome’s “irresponsible” plan, noted it was only a proposal and promised its customers that they didn’t need to do anything.

“We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser,” reads the statement. “This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community.”

“We learned of Google’s proposal when they posted it on their blog today,” added a Symantec spokeswoman via email, “Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time,” she concluded.

At the root of the row is Symantec’s compliance (or lack of it) with what are called the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The requirements are a set of rules for so-called Certificate Authorities, or CAs — the companies or other organizations that issue certificates.

“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these [baseline requirement] principles,” states the Chrome proposal. “The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates … Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information … required to assess the significance of these issues until they had been specifically questioned.”

“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” shot back Symantec. “While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal.”

Members of the Chrome team did not respond to requests for comment. Their proposal was published under Chrome’s “Blink” process for code changes, designed to put proposed alterations out for comment by the wider user/developer community. This means that in theory, once three or more of the seven engineers working on the issue agree, the changes will be implemented.

The proposal calls for successive releases of Chrome over the rest of the year to progressively reduce the amount of time for which existing Symantec certificates can be trusted — in an effort to force the company to re-issue all of the millions of certificates it currently provides for its customers. By the first release next year, Symantec certificates would be recognized for a maximum of nine months.

But starting in September, any Symantec certificate issued with a validity of more than nine months would not be trusted at all.

And, most importantly, the proposal would strip all Symantec certificates right away of their “Extended Validation” status, for at least a year. “We no longer have the confidence necessary in order to grant Symantec-issued certificates the ‘Extended Validation’ status,” wrote Chrome engineer Ryan Sleevi in the proposal.

EV status was designed to be the gold-standard for internet encryption, explained Spiezle, who helped develop the EV standard a decade ago at Microsoft. EV “promises the site visitor a higher level of confidence about who they are interacting with,” he told CyberScoop, adding that his own organization had to provide a copy of its business license and a letter from lawyers or auditors confirming their address.

EV certificates are what turn the address bar green, assuring consumers it’s safe to enter their passwords, shop or bank online

“There’s lot of work involved” in getting an EV certificate, and they can cost anything from $200-$1000 per website per year, Michael Fowler, president of the Comodo CA told CyberScoop.

He called the Chrome plan “A very strong approach,” but added he did not expect the browser to suffer the fallout from broken user experiences.

“The users will not see it as a Chrome problem,” he said. “They will see a problem with the site … They don’t know that Symantec is the CA. They don’t know what a CA is. All they will see is a problem with the site.”

“If Google thought they’d be blamed, they wouldn’t be doing it this way,” added Nick France, the technical security officer at Comodo.

Comodo is offering to replace Symantec certificates free of charge. “This is going to be a long and very difficult process for Symantec,” said Fowler.