14 DAY TRIAL // Google has made good on its promise and banned root certificates issued by Symantec. The ban applies to Google Chrome, Android, and several other Google products.
The search giant has had a bone to pick with Symantec since late September, when Google discovered 23 certificates issued in its name by one of Symantec's subsidiaries.
Symantec tried to explain itself by saying the certificates were issued for internal tests and got leaked under unknown circumstances by three employees, whom the company eventually fired.
The incident escalated towards the end of October, when Google discovered 164 other Symantec certificates issued for 76 other domains, along with a huge batch of 2,458 certificates for yet unregistered domains. Google published a statement on its blog, the equivalent of a last warning.
It appears that now Google has decided to act on Symantec's arrogance/indifference and has outright banned the Class 3 Public Primary CA root certificate operated by Symantec.
Google bans Symantec root certificate after the company strays away from official standards
"Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer, today on the company's Security blog. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products."
Symantec has not provided any public statement on its site regarding Google's latest decision.
Mr. Sleevi said Symantec privately told Google that the particular root certificate the company was banning was not scheduled to be used to issue any new certificates for publicly trusted connections.
Symantec also told Google that they didn't "believe" any of their clients that used Symantec-issued certificates would be affected by this ban.
This ban is the result of an audit Google did of Symantec's certificates after the previous two incidents. This is not the first time Google has banned root certificates from a CA (Certificate Authority), the company having applied the same punishment for Dutch-based CA Diginotar back in 2011, and the CNNIC CA in March 2015.
UPDATE: Symantec has answered Google on this particular issue.