March 28th, 2017

Google to Strip Trust from Symantec SSL Certificates

Last Thursday, a Google developer announced that Chrome will be reducing its levels of trust in Symantec issued SSL certificates, as well as those issued by its subsidiaries. This comes after a two year skirmish between the two companies, with Google asserting that Symantec has continually failed to follow appropriate verification practices.

Under Google’s proposal, the Extended Validation status from Symantec issued certificates will be removed, the validity period of newly issued Symantec certificates will be gradually reduced to a maximum of nine months, and current Symantec certificates will be incrementally distrusted with each Google Chrome release up to 64. These measures aim to balance out compatibility problems alongside the security risks.

Symantec SSL Certificate

Wait… What Are SSL Certificates?

Let’s say you want to do some online banking. You go to your bank’s website and you enter your details–but how do you know that it’s really the bank you are giving your details to? How do you know it isn’t an impostor trying to steal your details so that they can drain your accounts? The way we prevent this is by using SSL certificates.

When you go to your bank’s website, your browser asks the website to identify itself and prove that it is legitimate. The website does this with an SSL certificate. An SSL certificate contains information that links the website to the bank, signed by a Certificate Authority (CA) to prove its authenticity. CAs such as Symantec bring trust to the system. Any business that wants a trusted certificate must obtain it from a CA. The CA does the necessary checks to prove that the website belongs to the organization, then the CA itself signs the certificate, essentially using its reputation to vouch for the authenticity of the site.

See also: How does SSL work?

Because the whole system relies on trusting CAs, Google’s proposal to downgrade Symantec’s level of trust will have significant repercussions. In 2015, Symantec and its subsidiaries controlled about 30% of the global certificate market, so this decision will affect a significant number of site operators.

Extended Validation (EV) Certificates

EV certificates act in much the same way as regular SSL certificates, however they require a much more detailed validation process before they can be issued. CAs must check the operational and physical presence of the site’s owner, establish their legal identity, prove that they have exclusive control over the domain, and confirm the authority and identity of the owner. These additional checks result in a much higher security standard (and cost). If a site has an EV certificate, the company name will show up in the address bar and the address bar will generally be green.

What Happened Between Google and Symantec?

It goes back to the end of 2015, when Symantec fired some of their employees for issuing unauthorized certificates. Symantec initially said that only 23 test certificates had been incorrectly issued. These were for domains owned by several prominent organizations, including Google and Opera. Google investigated the incident and quickly found more questionable certificates.

A week later, Symantec audited their certificates once more, finding an extra 164 certificates across 76 domains, as well as 2,458 certificates for domains that were never registered. Mis-issued certificates allow their bearers to impersonate web sites and intercept any communications. This many unauthorized tickets posed a clear threat to internet users.

Google responded by asking Symantec to log their certificates publicly, otherwise Chrome would flag them as unsafe. They also forced Symantec to undergo further auditing of their certificate issuing process.

The issue cooled down until January, 2017, when a researcher found 108 more mis-issued certificates. This led the Google Chrome team to investigate the issue once more, culminating in their latest notice on March 23.

In a public blog post, a Chrome developer stated that they had found problems with more than 30,000 certificates that had been issued over the past several years. In response to the extreme security risks associated with these mis-issued certificates, a series of proposals were set out on how to deal with the situation (see below).

Symantec replied in a statement that called Google’s claims “misleading”. It said that only 127 certificates had been mis-issued, rather than the 30,000 in Google’s blog post. Symantec sought to remedy the problem by ending the involvement of the third party that issued the certificates in question, as well as committing to discontinue their registration authority program. The statement continued by saying that “Google has singled out the Symantec Certificate Authority”, even though other CAs were also involved in the event that led to the mis-issued certificates.

In further comments on the Google blog post, the Chrome developer clarified the situation by stating that Symantec had authorized four organizations to perform validation services. These were listed as CrossCert (Korea Electronic Certificate Authority), Certisign, Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A. While this is allowed under the Baseline Requirements, they also stipulate that the CA is liable for any issues that arise through the relationship and it is responsible for auditing any involved entities.

The four organizations were deemed not to have followed the appropriate certificate issuing practices. Together, they validated more than 30,000 certificates and there is no independent method of discerning whether each of these certificates meet the required standards. These certificates can’t be distinguished from other Symantec certificates, which has led Google to implement a new policy for all Symantec certificates.

What Does This Mean for Users and Operators?

In response to Symantec’s continued authentication issues, Google proposed the following:

  • A gradual reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

Symantec covers a huge percentage of the market under their own brand, as well as Thawte, VeriSign, RapidSSL and GeoTrust. Site operators who use certificates from any of these CAs will be affected.

If you purchase a new certificate from Symantec, Starting September 12th, 2017, it will only have a validity period of 9 months in Chrome. Following this series of incidents, you may find it best to look for a more reputable CA.

If you have an existing certificate from Symantec or one of its issuers, you shouldn’t have any problems unless the expiration date is far in the future. The developers have proposed a gradual distrust of Symantec certificates by decreasing the maximum age of certificates that will be trusted.   I.e., with each new release of Chrome, only certificates that were issued for a shorter period of time will be considered “secure:”

Chrome 59 (To be released on June 6th, 2017): Maximum certificate validity period: 2 years, 9 months

Chrome 60: (August 1st, 2017): 2 years and 3 months

Chrome 61 (September 12th, 2017): 1 year and 9 months

Chrome 62 (October 12th, 2017): 1 year and 3 months

Chrome 64 (Early 2018): 9 months

This means that if you had a 3-year certificate issued by Symantec or its subsidiaries, then after June 6th, it would be classified as insecure by Chrome.  2-year certificates will have a similar treatment after September 12th.

When your certificate expires–whether through its natural lifespan or the more limited time period of Chrome’s releases–you should look at getting a new one from a different provider.  If you are purchasing a 1-year SSL certificate, as is the most common practice, you need to use a different provider after early September, 2017.

If you have an extended validation certificate from Symantec or one of its issuers, you will need to acquire a new one as soon as possible from a different CA. This is because Chrome will starting treating EV certificates as “regular certificates” and you will no longer get the nice green address bar with your company name on it.

In further comments on Google’s blog post, the developer stated that the measures were not designed as punishment, but rather to facilitate proper validation of Symantec’s certificates. The plan to phase certificates out over a period of time is the result of a balance between both security and compatibility risks. Immediately distrusting all of the certificates would have forced operators to get a new certificate as soon as possible, while users would see errors until the operators took action.

Check your web site’s certificate

We found this great tool by 352, Inc. that you can use to check and see if your existing web site’s SSL certificate is going to be impacted.

Check your certificate:

Note: This checker pays attention to certificate duration and expiration.  It is not checking if your EV certificate will be affected.

The SSL Certificate System – Inherently Flawed?

It’s one thing to be constantly fending off attackers from our infrastructure. It’s quite another when a trusted third party completely violates the trust we put in them. A significant portion of the internet relies on Symantec issuers as a basis for trust and authenticity. When we can no longer rely on them, the damage is widespread. Poor validation processes can lead to data loss, attacks and a loss of trust in our basic security infrastructure.

No one who understands SSL certification and CAs will say that it is a good system. It’s just the one that we are stuck with. It’s old and it relies on trusting more than 600 organizations. Each of these represents a possible point of failure, whether it is through hacking or just poor verification processes, as we have seen with Symantec (and others in the past).

While the CA system remains a key weakness of our infrastructure, there aren’t really any viable alternatives at this stage. There have been some interesting proposals, such as a distributed trust system called Consensus, but this seems to have died out due to lack of funding. Blockchain-based solutions such as Namecoin could also be viable in the future.

The unfortunate reality is that we are stuck with CAs for now. One of the few positives to come out of this whole fiasco is that Google’s treatment of Symantec has put other CAs on notice. Hopefully they take heed and step up their verification processes to minimize future security lapses.

What is LuxSci Doing?

LuxSci is a Thawte reseller for SSL certificates.  Thawte is owned by Symantec. The certificates purchased by LuxSci’s customers are almost universally 1-year long certificates.  None of these will be affected by the current sanctions to be imposed by Google.  In fact, none of the 1-year certificates to be issued before September, 2017 should be affected either.  So, existing and current customers have nothing to worry about.

LuxSci will be monitoring this process to see how it unfolds.  If it actually proceeds as Google has threatened, then LuxSci will be switching SSL certificate partners before September to ensure that our customers’ certificates are properly trusted.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.