Mozilla, maker of the open-source browser Firefox, is weighing whether to join Google’s Chrome in its crusade against Symantec.
A Mozilla blog post says Chrome engineers are correct in their assessment of the problems with Symantec-issued internet security certificates, but they may have gone too far by proposing to distrust them. Security certificates underlie the little green padlock in the browser address bar that tells consumers it’s safe to shop and bank online.
It’s a high-stakes game — if Chrome goes ahead with its plan to progressively stop trusting the certificates, its users will see a warning message or might even be blocked from visiting e-commerce sites that use Symantec certificates. And currently, that’s at least a third of the internet.
But the more browsers that join Chrome in distrusting Symantec certificates, the more likely it becomes that Symantec’s customers will simply get their certificates elsewhere.
In a blog post from Mozilla Policy Engineer Gervase Markham, he notes that browser makers generally “actively avoid coordinating enforcement actions ahead of any public announcement, to avoid accusations of impropriety.” But he adds that now Chrome has unveiled its proposal, a debate is “unavoidable.”
Markham states that he shares the Chrome engineers’ assessment of Symantec’s compliance problems. “Google has correctly identified the things that have gone wrong, and appropriately assessed the severity of the problems,” he writes.
But he adds that “An additional consideration in deciding” on a course of action is “whether a particular incident fits into a pattern” — in other words, whether Symantec’s problems are one-offs, or whether they’re systemic.
“In the case of Symantec, it is borderline whether that test has been met,” he concludes.
In their proposal last week, Chrome engineers cited what they said were repeated failures by Symantec to comply with what are called the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The requirements are a set of rules for so-called Certificate Authorities, or CAs — the companies or other organizations that issue certificates.
“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these [baseline requirement] principles,” states the Chrome proposal. “The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates. … Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information … required to assess the significance of these issues until they had been specifically questioned.”
“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” shot back Symantec. “While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal.”
The proposal calls for successive releases of Chrome over the rest of the year to progressively reduce the amount of time for which existing Symantec certificates can be trusted — in an effort to force the company to re-issue all of the millions of certificates it currently provides for its customers. By the first release next year, Symantec certificates would be recognized for a maximum of nine months.
But starting in September, any Symantec certificate issued with a validity of more than nine months would not be trusted at all.
And, most importantly, the proposal would strip all Symantec certificates right away of their “Extended Validation” status, for at least a year. “We no longer have the confidence necessary in order to grant Symantec-issued certificates the ‘Extended Validation’ status,” wrote Chrome engineer Ryan Sleevi in the proposal.