Google To Symantec: We Don’t Trust You| Neither Should Domain Owners
Why Google is not trusting Symantec’s certificates anymore. Because of this, the domain owners are facing a new headache. The problem continues with Symantec after its repeated mistakes in issuing TLS certificates. There will be long working hours for the security and network teams. Because the Chrome development team showed no interest in Symantec for its mistakes. Google has announced that it will no longer trust current Symantec certificates.
From the past year, Google has some complications with Symantec over TLS certificates. But Symantec is being successful in convincing to well. The recent investigation revealed some unbelievable stats. “around 30,000 certificates issued with many years”, Ravi Sleevi wrote on Blink online forum.
There are some series of issues that happened. Chrome developers are no longer showing trust over Symantec’s certificate policies. And also their practices over the years.
The Broken Trust by Google
From now, Chrome will not recognize the Extended Validation (EV) certificates from Symantec. EV certificates are the highest order certificates that reflect the site’s authenticity. To get these certificates, domain owners should go to a strong verification process.
As Google does not recognize Symantec’s policies anymore. Chrome will recognize that the site has a certificate. But won’t treat the certificate as Extended Validation (EV).
From the domain owners’ context, the name of the domain owner will not be in green next to the padlock in the address bar. Google is denying the high-end certificates from Symantec, issued for at least a year.
This will cause major problems for financial sites. Because they rely on the address bar to show their transactions are safe and secure. This move from Google will force those sites to consider the validity of certificates.
Google mentioned that they will not accept the issued certificates. whose validity is over 9 months. The existing certificates will not get affected. But Chrome will not load sites, whose validity is over one year from next week. This is the reason Google is not trusting Symantec’s certificates.
It is a Gradual Withdrawal Process
Google doesn’t believe or trust Symantec’s certificates from now. But also Google cannot reject them all at a time. Symantec’s partner brands account for 30% of valid certificates. Ravi Sleevi reported some Firefox data about the stats. The report shows that Symantec issued certificates that accounts for over 42% globally.
The migration from SHA-1 to SHA-2 is a bad decision. The real mess creates when millions of chrome users cannot load sites. It is because Chrome is rejecting Symantec certificates of the sites. The best thing is that Chrome is not asking for a sudden replacement of all certificates.
Google Chrome decreases the limit of the ‘greatest validity’ of Symantec certificates. This allowance continues with the upcoming and future Chrome releases.
This will give the admins and developers about 9 months to make adjustments. They can replace the existing certificates. They can also opt for renewing the certificates with less than 9 months of validity.
Google can make any rules. The biggest banks, retailers, and cloud providers are possible to make changes. Because Google Chrome is the biggest web browser in the present time. Most of the firms rely on this service.
Google came with a strong response
The new rules from Google are like punishment. Google has warned Symantec for their poor practices. However, Symantec failed to overcome the problem. Now Google has shown that what happens if CAs won’t meet the criteria.
Sleevi wrote in an online forum. That Symantec allowed four parties to access their infrastructure to cause certificate issuance. But they didn’t abide to take care of standards. They failed to identify and solve the issues reported to them.
The miss-issued certificates propose a serious threat to everyone on the Internet. Because these certificate holders can impersonate legitimate servers and track communications. The response from Google shows that “Why does Google not trust Symantec’s certificates”?
Failure to learn from Mistakes
Symantec was already under investigation for some time. It is because it issued test certificates to third-party domains, which includes Google. But these certificates get issued without getting the domain holder’s permission.
There is a possibility that someone can get those certificates. By this, they can impersonate google and other sites and track communications.
Symantec can now also regain its position as a trusted CA provider. But it should give assurance to Google about its policies. But as of now, the penalties will continue for at least a year.