Venafi Media Alert: What Google’s Decision to Remove Trust from Symantec Certificates Will Mean for Certificate Authorities in 2018
February 7, 2018
Walter Goulet of Venafi looks at three major market changes that will impact the interdependency between browsers and Certificate Authorities.
SALT LAKE CITY, UT – February 7, 2018 – Last year, researchers affiliated with Google decided that Symantec, and their affiliated Certificate Authorities (CA), had mis-issued thousands of transport layer security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. According to Walter Goulet, product manager for cloud products at cyber security market leader Venafi, the tension between browsers and CAs will increase in 2018.
“Concern about certificate issuance practices from browser companies is not a new phenomenon,” said Goulet. “However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry."
Goulet believes the interdependency between browsers and CAs will be affected by three major market changes:
Browser makers will take a more active role in policing CAs. Last December, information security researcher Ian Carroll conducted an experiment that revealed how phishers could legally obtain Extended Validation (EV) certificates for malicious websites. Citing Carroll’s report as an example, many browser makers are pointing out that CA issuance practices require additional oversight. As a result of this and Google’s decision to remove trust from Symantec certificates, CAs should expect more scrutiny from browser companies.
Web browsers will de-emphasize or remove certificate security warnings. Browsers may move away from issuing any type of certificate warning, since research has indicated that these warnings rarely impact user behavior. For example, because most users don’t understand EV certificates and they generally don’t read security details, Chrome recently released an update that wouldn’t allow users to view certificate details unless they accessed the Developer Tools section.
CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change. In addition to automating and streamlining the issuance of EV certificates to compete with Let’s Encrypt, it’s likely that CAs will invest in more automation and develop new product offerings to differentiate themselves from competitors.
“I don’t expect the relationship between CAs and browsers to shift overnight, but we will see radical changes as the year progresses. The Google Symantec event was just the beginning of larger changes that will ultimately impact internet security and privacy for all of us,” added Goulet.