Google announces plans to downgrade trust in Symantec certificates after more illegit HTTPS certificates are issued

Google has announced that they are downgrading the level of trust that it has in Symantec certificates following an investigation that revealed ‘a continually increasing scope of misissuance’ by Symantec over a period of several years which has exposed users to significant dangers.

Google Chrome developers plan to restrict transport layer security certificates sold by Symantec-owned issuers after discovering that up to 30,000 certificates have been found to be problematic since the investigation began. As a result, by early 2018, Chrome 64 will only trust Symantec certificates that have been issued for 279 days or less.

Along with the reduction in trust, Google has also proposed removing Symantec’s Extended Validation status for at least one year, meaning that all existing valid certificates issued by Symantec would need to be reissued.

Kevin Bocek, Chief Cybersecurity Strategist for Venafi has commented: “Issues emerging about the trust and validity of Symantec certificates is just one more example of how fragile the system of trust and privacy for Internet is and the reality is that most organisations are not prepared to respond effectively to them.

“This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS – quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this.

“Google is the eight hundred pound gorilla on this issue. They are likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies these questionable Symantec certificates because they turn on padlocks that let users know their transaction is secure.

“Solving this problem will be a massive challenge for businesses and governments. We know this because recent similar events illustrate how difficult most organisations find this process. The US federal government was given 18 months to install certificates on all webservers and failed. One year after Heartbleed, over half of Global 2000 businesses still couldn’t fully remediate Heartbleed by changing out keys.”

Speed and agility in protecting machines identities – being able to issue, replace, and recover from security incident involving keys and certificates, including CA compromise, is required now more than ever. This is an alarm that can no longer be ignored.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.