Google announces measures against Symantec

24 March 2017

In response to recent incidents at Symantec, Google has announced they will be taking measures affecting certificates issued by Symantec. They have announced plans to stop showing Symantec Extended Validation certificates as Extended Validation as well as adjusting the validity period for Symantec certificates.

What happened at Symantec?

In the past months, it has become known that Symantec issued a number of SSL certificates unfairly. After research regarding this incident, it became clear that Symantec did not keep an eye on partners allowed to issue Symantec certificates themselves. As such, partners did not meet Symantec’s requirements and the lack of monitoring from Symantec’s side has resulted in Google taking action.

Which measures is Google planning to take?

Google announced they are planning to take a number of measures against Symantec. Currently, this is non-committal, but Google has announced to:

  • Show Symantec Extended Validation certificates (including sub brands Thawte and GeoTrust) as Domain Validation certificates in Google Chrome. The SSL certificates will stay valid, but the green address bar won’t be shown anymore;
  • Restrict the validity period of new certificates issued by Symantec to 9 months. SSL certificates with a validity period over 9 months won’t be trusted;
  • Have every Google Chrome update constrain the SSL certificate validity period further, ultimately resulting in all SSL certificates being reissued.

What does Symantec say?

Symantec says they think Google’s planned measures are undue, and has written a blog post in response to Google’s announcements.

What is the impact in practice?

About 30% of all secured websites make use of a Symantec SSL certificate. Chrome is amongst the most widely used browsers, so if Google were to actually take these measures, the impact would be relatively large.
Aside, if Google were to proceed taking these measures, there’s a chance other browsers will follow Google’s footsteps. It’s not possible to exactly disclose what that would mean in practice, though.

I have a certificate issued by Symantec, what do I have to do?

Websites with Symantec certificates will still be trusted and won’t show any errors yet. The plans announced by Google aren’t definitive, there’s a chance they will still change their plans. Google has now announced a resolution where the green address bar won’t be shown, and phase out valid certificates step by step. This way, most website owners will replace their SSL certificate or certificates, allowing them to do this within a large time frame.
Furthermore, Google’s plans would be temporary measures, which would most likely be removed once Symantec clearly shows they have improved.

Xolphin will be replacing Symantec, GeoTrust and Thawte Extended Validation certificates with a Comodo Extended Validation certificate (valid for the same period) at no additional cost.

Update 10/04: Last wednesday Ryan Sleevi announced that despite the fact this isn't Google's policy, the managing board from Google and Symantec had a meeting. Not everything is discussed yet, so the intend has been made to plan a folluw-up meeting. A date or details of the meeting are not made public yet.

As soon as we can provide you with more information, we will update this post. If there is more clarity about Google's exact steps and the consequences, we will actively inform our customers.

Update 27/04: On April 26th, Symantec proposed an extensive action plan. The proposal contains 11 points of action as an alternative to the measurements proposed by Google on March 23rd.

The focus is on the reauthentication of issued certificates, periodical extra checks, more transparency and a reduction in risks. An important factor are the interests of Symantec enterprise customers, such as governments and financial corporations. Symantec believes the interests of these customers are insufficiently present from the point of view of Google and the community, these parties will face severe damage as a result of Google's plans.

Which actions does Symantec propose?

Of the 11 proposed actions, these are the most important:

  • All Symantec issued EV certificates will be re-checked by an external party. This must be completed before August 31st 2017. This should prevent the removal of the EV indicator in Google Chrome.
  • All active SSL certificates that have been checked and issued by (former) RA's of Symantec must be re-checked by an external party. This should also be done by August 31st 2017.
  • Instead of a yearly WebTrust audit, which is standard, it will be done quarterly.
  • By August 31st 2017, 3 month valid certificates will be introduced. Symantec recognizes the advantages of short-lived certificates and wants to give its customers a choice.
  • All active certificates with a validity longer than 9 months will be re-authenticated with a domain verification check.
  • The complete CA infrastructure will be re-checked through a ‘third party risk assessment’, by October 31st 2017.
  • Symantec promises to be more transparent and improve the speed of which they comment on ongoing issues.

Google has yet to react to Symantec's proposal.

point up