All replacement certificates issued by Symantec to customers will need to have a validity period of nine months or less in order to be trusted in Chrome. This is likely to cause further problems for some large companies, which won't be able to easily replace their certificates every nine months.
It's safe to say that Google's sanctions might have a significant impact on Symantec's SSL business, as the company is likely to lose customers who won't be willing to put up with these restrictions and will take their business to a different certificate authority (CA).
Browser vendors have punished CAs before for improperly issuing certificates -- or "misissuing" them, in industry parlance -- but never on this scale and with an impact so large on the ecosystem. Some people have always wondered if browser vendors can really take drastic sanctions against the world's largest CAs, or whether those authorities are simply too big to fail.
The reason for this unprecedented punishment seems to be repeated incidents of misissued certificates at Symantec that have come to light over the past few years, some of which the company failed to identify on its own despite internal and external audits. The latest case was uncovered this year and involved 127 certificates issued with bogus information or without proper domain ownership verification by a Symantec partner that operated as a registration authority (RA).
According to Google, that investigation calls into question the validity of at least 30,000 certificates issued by Symantec partners over a period spanning several years. However, Symantec disputes that number.
"Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Google's Ryan Sleevi said in a post on the Chrome development mailing list.
This and past incidents have led Google to "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," Sleevi said.
Symantec strongly objected to Google's plan and criticized its publication. It also described Google's remarks about the company's past misissuances as "exaggerated and misleading."
"This action was unexpected, and we believe the blog post was irresponsible," the company said in a blog post Friday. "We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates."
The claim about the 30,000 certficates is not true and the 127 certificates that have been confirmed as misissued did not result in any consumer harm, Symantec said, adding that the relationship with the partner responsible for the incident has been terminated and that its entire RA program has been discontinued.
Sign up for Computerworld eNewsletters.