Google is considering a harsh punishment for repeated incidents in which Symantec or its certificate resellers improperly issued SSL certificates. A proposed plan is to force the company to replace all of its customers’ certificates and to stop recognizing the extended validation (EV) status of those that have it.
According to a Netcraft survey from 2015, Symantec is responsible for about one in every three SSL certificates used on the web, making it the largest commercial certificate issuer in the world. As a result of acquisitions over the years the company now controls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.
SSL/TLS certificates are used to encrypt the connections between browsers and HTTPS-enabled websites and also to verify that users are actually visiting the websites they intended to and not spoofed versions. These certificates are issued by organizations known as certificate authorities that are trusted by default in browsers and operating systems.
The process of issuing and managing certificates is governed by rules created by the CA/Browser Forum, an organization whose members include browser vendors and certificate authorities. When those rules are violated, browser and OS vendors can revoke trust in the offending certificates and sanction the responsible certificate authorities, going as far as kicking them out of their root certificate stores.
Google says that an investigation into a recent incident indicates that Symantec has not upheld security practices expected of certificate authorities, such as validating domain control, auditing logs for evidence of unauthorized issuance, and minimizing the ability for the issuance of fraudulent certificates.
If Google’s plan is put into practice, millions of existing Symantec certificates will become untrusted over the next 12 months in Google Chrome. This will be a gradual process where every new Chrome release will distrust a new batch of certificates starting with Chrome 59, which will revoke trust in certificates that have a validity period of over 33 months.
This will put enormous pressure on Symantec, as the company will have to contact all customers, validate their identity and the ownership of their domains all over again, and replace their existing certificates with new ones, most likely at no cost.
Some companies will likely have problems replacing their certificates on such short notice, as they might be used in payment terminals and other hard-to-reach embedded devices.