Symantec looks to be caving in its dispute with Google’s Chrome over the trustworthiness of digital certificates — which underlie the green padlock in the browser’s address bar that tells consumers it’s safe to bank or shop online.
Chrome, citing what it says are repeated failures by Symantec to comply with the issuance rules regarding digital security certificates, last week threatened to stop fully trusting them. Chrome’s proposal demands that Symantec re-validate and re-issue the millions of certificates it has created, and it would strip Symantec of the authority to issue extended validation, or EV, certificates at all.
Because the proposal could mean Chrome users would no longer be able to shop or bank safely at many major e-commerce sites that currently use Symantec certificates, the proposal effectively challenged Symantec to a game of chicken.
Over the weekend, Symantec blinked.
In a blog post titled “A Message to our [Certificate Authority, or] CA Customers,” Symantec Senior Vice President and General Manager of Website Security Roxane Divol wrote that if Chrome went ahead with its plan to gradually withdraw trust from Symantec’s existing certificates, the company would re-issue them as Chrome demanded.
“In the event Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you.”
The security certificates are the basis for TLS, the encrypted connection between a website and a visiting computer that’s denoted by the padlock in the address bar. TLS — and the outdated SSL system it’s replacing — make it possible for users to send credit card details, social security numbers and other sensitive information safely and privately across the public internet. The certificates which underlie the encrypted exchange are issued by companies known as Certificate Authorities, or CAs.
If Chrome stopped recognizing Symantec certificates — which are behind as many as three-quarters of all internet e-commerce transactions, according to ComScore — Chrome users would get a warning message that the connection was not secure. Depending on how their security settings are set, users might be blocked from visiting the site in total.
In their proposal, Chrome engineers say new Symantec certificates should be valid for a maximum of nine months. Divol writes that Symantec would accept that limitation, but she adds that they anticipate Chrome “may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do” — although the proposal was voted down at the CA-Browser Forum, the consensus-based body that agrees rules for the certificate ecosystem.
Chrome and Google, she further charges “have long been working to remove special treatment for EV certificates in general.”
“We would work with our customers to provide tools to manage any validity period changes that Google might unilaterally impose,” Divol continues, pointing out that, according to figures from ComScore, Symantec certificates secure 40 percent of all internet traffic.
At the root of the row is Symantec’s compliance with what are called the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The requirements are a set of rules for CAs agreed to in the CA-Browser forum.
“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these [baseline requirement] principles,” states the Chrome proposal.
“The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates … Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information … required to assess the significance of these issues until they had been specifically questioned.”
Divol reiterated Symantec’s position that the Chrome charges “about our [certificate] issuance practices and the scope of our past mis-issuances are exaggerated and misleading.” For instance, she states that the real number of wrongly issued certificates is much lower than Chrome says: “In the event referred to … 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm.”
Divol states that the company has “taken extensive remediation measures” to ensure it doesn’t happen again, including severing its relationship with the sub-CA that issued the suspect certificates.
Last week, a Symantec statement accused Chrome of picking on the company. “While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal.”
Members of the Chrome team did not respond to requests for comment. Their proposal was published under Chrome’s “Blink” process for code changes, designed to put proposed alterations out for comment by the wider user/developer community. This means that in theory, once three or more of the seven engineers working on the issue agree, the changes will be implemented.
The proposal calls for successive releases of Chrome over the rest of the year to progressively reduce the amount of time for which existing Symantec certificates can be trusted — in an effort to force the company to re-issue all of the millions of certificates it currently provides for its customers. By the first release next year, Symantec certificates would be recognized for a maximum of nine months.
But starting in September, any Symantec certificate issued with a validity of more than nine months would not be trusted at all.
And, most importantly, the proposal would strip all Symantec certificates right away of their “Extended Validation” status, for at least a year. “We no longer have the confidence necessary in order to grant Symantec-issued certificates the ‘Extended Validation’ status,” wrote Chrome engineer Ryan Sleevi in the proposal.
EV status was designed to be the gold standard for internet encryption, explained Craig Spiezle, president of the Online Trust Alliance and who helped develop the EV standard a decade ago at Microsoft.
EV “promises the site visitor a higher level of confidence about who they are interacting with,” he told CyberScoop, adding that his own organization had to provide a copy of its business license and a letter from lawyers or auditors confirming their address.
“There’s lot of work involved” in getting an EV certificate, and they can cost anything from $200-$1000 per website per year, Michael Fowler, president of the Comodo CA told CyberScoop.
He called the Chrome plan “A very strong approach,” but added he did not expect the browser to suffer the fallout from broken user experiences.
“The users will not see it as a Chrome problem,” he said. “They will see a problem with the site … They don’t know that Symantec is the CA. They don’t know what a CA is. All they will see is a problem with the site.”
“If Google thought they’d be blamed, they wouldn’t be doing it this way,” added Nick France, the technical security officer at Comodo.
Comodo is offering to replace Symantec certificates free of charge.
“This is going to be a long and very difficult process for Symantec,” said Fowler.