14 DAY TRIAL // Symantec has finally shed some light on the events that surrounded the "distrusting" of some of its certificates inside Google's products, blaming everything on the lack of a clear communication between its representatives and Google's staff.
The whole affair started at the beginning of September, when Google discovered some SSL certificates issued in its name by the security vendor.
Google launched an inquiry into the matter, and later, in October, it found around 2,500 more certificates issued by Symantec for other domains, some of which hadn't even been registered yet.
Symantec explained that the certificates were used only in an internal testing environment, had't been used for public sites for years, and were leaked by accident. Following the huge mishap, the company decided to pull the root certificate (PCA3-G1) altogether and avoid further complications.
Symantec explains itself
"In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1)," a spokesperson told Softpedia.
"We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications."
"By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014," the spokesperson also said.
A lack of proper communication channels caused the whole Google-Symantec scandal
This response makes Google's security staff look like they overreacted in their previous dealings with Symantec. This isn't so. According to Rick Andrews, Technical Director at Symantec, the company acknowledges the fact that its communications with Google could have been better.
"The recent flurry of conversation within the CA community about untrusting roots has opened our eyes to the need for more dialogue," said Mr. Andrews. "Moving forward, you can expect to see regular posts from us."
After the initial reports in September, and later in October, many hinted that Symantec, or one of its employees, was involved in shady dealings with SSL certificates on the black market. This clears up the air surrounding Symantec's name and reveals that everything was just a big misunderstanding.