Skip to main content
banner image
venafi logo

Google vs. Symantec: Who Owns Certificate Validation Trust?

Google vs. Symantec: Who Owns Certificate Validation Trust?

March 23, 2017 | Eva Hanscom

This morning, Blink engineer Ryan Sleevi issued a post on the Google Chrome team’s most recent research into Symantec’s certificate practices. According to Sleevi’s report, Google uncovered a “series of failures by Symantec Corporation to properly validate certificates.” As a result, the team no longer has “confidence in the certificate issuance policies and practices of Symantec over the past several years.” 

Google has butted heads with Symantec over the use of their certificates before, but this report represents much broader security issues impacting the Internet.

According to Kevin Bocek, chief security strategist for Venafi: “There something big at play here: Google is now, with the user base of Chrome, controlling the business of the Internet. They decide which CAs can operate and how. Google is effectively taking over control of privacy and trust on the Internet.”

Bocek continues: “This news also highlights how critical it is for businesses to be able to quickly replace machine identities—keys and certificates used for SSL/TLS. Small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to external events like this.”

Sleevi has proposed several immediate steps for Symantec and Chrome, including: “a reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less” and “the removal of recognition of the Extended Validation status of Symantec issued certificates.” However, industry experts are concerned about the timeline of these proposals.

“Solving this problem will be a massive challenge for businesses and governments,” says Bocek. “We know this because similar events have illustrated how difficult most organizations find these process. The US federal government was given 18 months to install certificates on all webservers and failed. One year after Heartbleed, over half of Global 2000 businesses still couldn’t fully remediate Heartbleed by changing out keys.”

Ultimately, Google is proposing that every Symantec issued certificate must be replaced, including Extended Validation certificates used by banks, retailers, insurers, government and more. “These certificates are used to convey the highest level of trust in machines identities,” says Bocek. “Obviously, this is a significant event for Symantec.”

The situation between Chrome and Symantec is still developing. It’s clear that Google is interested in taking a much broader role in securing online privacy. While this position is admirable, it is a bit overbearing. Organizations still need their own security toolsets to retain some semblance of control.

“The issues emerging about the trust and validity of Symantec certificates are just another example of how fragile the system of trust and privacy for Internet is. The reality is most organizations are not prepared to respond effectively to these issues. Speed and agility in protecting machines identities is required now more than ever Organization need to be prepared to issue, replace, and recover from security incident involving keys and certificates, including CA compromise, at the drop of a hat,” concludes Bocek.

Are you prepared to remediate certificate threats? 

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

lawyer reading from legal books on a desk, with a scale in the foreground

Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat