Google is considering a harsh punishment for repeated incidents in which Symantec or its certificate resellers improperly issued SSL certificates. A proposed plan is to force the company to replace all of its customers’ certificates and to stop recognizing the extended validation (EV) status of those that have it.
According to a Netcraft survey from 2015, Symantec is responsible for about one in every three SSL certificates used on the web, making it the largest commercial certificate issuer in the world. As a result of acquisitions over the years the company now controls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.
Google says that an investigation into a recent incident indicates that Symantec has not upheld security practices expected of certificate authorities, such as validating domain control, auditing logs for evidence of unauthorized issuance, and minimizing the ability for the issuance of fraudulent certificates.
If Google's plan is put into practice, millions of existing Symantec certificates will become untrusted over the next 12 months in Google Chrome. This will be a gradual process where every new Chrome release will distrust a new batch of certificates starting with Chrome 59, which will revoke trust in certificates that have a validity period of over 33 months.
This will put enormous pressure on Symantec, as the company will have to contact all customers, validate their identity and the ownership of their domains all over again, and replace their existing certificates with new ones, most likely at no cost.
Some companies will likely have problems replacing their certificates on such short notice, as they might be used in payment terminals and other hard-to-reach embedded devices.
In addition to that, Symantec might have to refund customers who paid for EV certificates that will no longer be recognized as such in Chrome, since their value would be significantly reduced. The ban on Symantec EV certificates will last for at least one year.
Sign up for Computerworld eNewsletters.