Certificates from Symantec

Why is Google Distrusting Symantec?
This entire situation started back in 2015 when Google contacted Symantec about some potentially mis-issued SSL certificates. That situation, in and of itself, was fairly negligible. But, the following year, when Google became aware of additional mis-issuances, it became of greater import because now Google could make the argument that it was losing trust in Symantec’s PKI.

Google argued that Symantec was not properly overseeing several of the region authorities it used to perform validation around the world. This, coupled with what Google now argued was a pattern of mis-issuances, set the grounds for the distrust. Symantec eventually went into negotiation with Google and agreed to partner with another Certificate Authority so that it could continue to issue certificates while simultaneously rebuilding its Public Key Infrastructure. The best way to accomplish this, in Symantec’s eyes, was to sell the CA part of its business to DigiCert, who would continue to operate it pretty much as is, with the exception of what roots the new certificates would now chain to.

Who was right? Google or Symantec?
That’s a complicated question. Let me start by saying that Hashed Out operates with a considerable degree of autonomy from The SSL Store, but it is worth noting that The SSL Store was a platinum elite partner with Symantec (and now with its new owners, DigiCert). That being said, Google was right about the mistakes that Symantec had made. And considering one of the mis-issued 2016 test certificates was for Google.com, it had a right to be pissed.

At the same time, Symantec wasn’t incorrect when it noted that no real world harm actually occurred. While they disagree on the number of mis-issued test certificates (33 vs. 30K – quite the range), nobody misused any of the certificates. Nobody lost money. No one died.

Google’s decision was a bit draconian. And I’m hedging by add “a bit.” It’s quite a leap to go from, “you mis-issued some test certificates” to “now I’m going distrust every SSL certificate that’s ever been issued off these roots.” It’s worth noting that Google (and Mozilla to some extent) were likely also trying to make an example out of Symantec, too. But as we will see on Tuesday, this is going to end up being massively disruptive in a way that I think few of the people who pushed for this expected.

But, there’s plenty of times for relitigating the dispute between Symantec and Google. There’s not much left time to re-issue if you’re using an affected certificate.

https://www.thesslstore.com/blog/symantec-re-issue-thousands-of-ssl-certificates-will-be-distrusted-tuesday/

On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements. During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.

This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.

After our agreed-upon proposal was circulated, Symantec announced the selection of DigiCert to run this independently-operated Managed Partner Infrastructure, as well as their intention to sell their PKI business to DigiCert in lieu of building a new trusted infrastructure. This post outlines the timeline for that transition and the steps that existing Symantec customers should take to minimize disruption to their users.

 https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html