According to various sources, Google and Symantec are fighting over who will lead the huge task of encrypting the internet. Symantec has rendered extended validation certificates to select companies, which is a cyber risk and security risk for certain domains and their users. Therefore, Google claims that these certificates are all misused and thus, their credibility will be downgraded.
Symantec is a CA giant in the world and its certification vouched is around thirty percent of the web in 2014-2015. Google claims, Symantec is neglecting its duties. Symantec has issued the 30,000 certificates without correctly verifying with websites that collected them. But Symantec criticize Google for calling them “Irresponsible and “Exaggerated and misleading”.
“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of mis-issuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,”
Ryan Sleevi, Google Software engineer, wrote a post about the case against Symantec. He said “This is also coupled with a series of failures following the previous set of mis-issued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.”
“These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared”.
There have been many discussions about what Symantec has done. Symantec did not properly filter the websites before providing them with certificates. This shows how most websites that received validation might be not safe for their users. It seems like Google and Symantec will continue their fight. Therefore, Symantec said they are “open to discussing the matter with Google in an effort to resolve the situation”. Websites owner those who use Symantec to substantiate their HTTPS connections will need to do something to confirm that the chrome users can access their websites without getting any security alerts and pop ups.
As Symantec, has cleave bind with four different organizations with the misissued certificates, so from now onwards Chrome might trust new Symantec certificates. Owner just need to swap their old documents with the new ones.