14 DAY TRIAL // Google Chrome developers are planning to restrict transport layer security certificates sold by Symantec-owned issuers after it was discovered that they might have issued more than 30,000 certificates.
Software engineer on the Google Chrome team Ryan Sleevi said in an online forum that Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities. The change is effective immediately.
"Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," they explain.
These extended validation certificates are supposed to provide assurances that a site is authentic by showing the name of the validated domain name holder in the address bar. For the next year, however, Symantec is in hot water, and Chrome will not be displaying this information as the certificates will be downgraded.
Step by step
In another gradual move, Google will update Chrome to nullify all current valid certificates issued by Symantec's CAs. This has the potential of preventing millions of users from accessing large numbers of sites, especially since Symantec certificates account for about 30% of the Internet's valid certificates, according to 2015 data.
Since nullifying all these certificate en masse would have a huge impact on the Internet, Chrome has a plan to gradually decrease the maximum age of certificates issued by Symantec. Chrome 59 will limit the expiration to 33 months after they were issued, while Chrome 64 will mention a validity of nine months.
This is just the most recent development in an argument with Symantec issuers going back close to two years. It seems that the report from back in January when an independent security researcher discovered evidence that Symantec improperly issued 108 new certificates was just the tip of the iceberg. With Google having evidence of over 30,000 certificates being improperly issued, their decision is more than justified.