Google vs. Symantec Certificates

If you run a website that uses SSL there’s a 30% chance you use a SSL certificate issued by Symantec (they bought Verisign’s certificate business, among others) and this affects you. If you use Google Chrome to browse the web, and well over half of us do, then this will affect about 30% of the websites that you visit.

The cornerstone of SSL encryption is trust. When I browse to a site that has SSL encryption I have to trust that the certificate correctly identifies the site. If I’m browsing a site like this one, which uses HTTPS (SSL encryption) but doesn’t contain any personal data, doesn’t require a password, and doesn’t have a store, then all I care about is that the traffic is encrypted. I can use Let’s Encrypt which is free, but doesn’t make any attempt to identify the site owner. All it does is verify that the certificate requestor has access to the domain/website. But if I visit a web shop or financial institution then I want to be sure the site is who it says it is. This puts a greater burden on the certificate issuer to verify the legitimate identity of the certificate requestor.

There are various levels of certificate validation. Certificates such as Let’s Encrypt are at the bottom of the list. They encrypt the data to and from the site, but do nothing to verify the identify of the site’s owner. It just provides domain validation – the certificate matches the domain it is installed on and the person requesting the cert had management access to the domain. The bad news here is that the site shows a valid certificate and most people don’t know about the various certificate levels. This can lead to abuse. For example, certificates with PayPal in the domain name can be used for phishing. For example, paypal.com.dsfwrfece.ru could be issued and used for a phishing email. While this is an abuse, it is not a violation of the rules certificate authorities are expected to follow. The goal of encrypting everything is bumping against how people interpret that green lock in their browser address bar.

Then there are higher levels of certificates and unlike Let’s Encrypt these certificates are not available for free. At the highest level are Extended Validation Certificates (EV Certs). EV Certs validate the legal entity that owns the website. Between the domain validation and EV certs are organization validation certs. While there are differences among issuers, these certs generally validate an organization and it’s authority to administer the website.

The hub of trust among all these certificates are Root Certificates that are included in the operating system. (In some cases they may be in the specific software or browser.) These root certificates are then used to determine if the website’s certificate can be trusted. Google documents their Root Certificate Policy here.

Google has determined that Symantec violated these policies and is reducing their level of trust in all Symantec certificates. While no action has yet been taken (except possibly in the latest developer release), beginning with Chrome 59 (currently Chrome is on version 57 in production) Google Chrome will begin to decrease the length of time they consider Symantec certificates valid. By the time Chrome 64 is released the certificates can only be valid for 9 months. This will require Symantec to issue certificates more frequently and gradually age out certificates Google feels can no longer be trusted.

Google’s announcement was of their intent and Symantec disputes the severity and extent of the problem so this may all get worked out before any action is actually taken. This sort of thing can have a big impact on Symantec’s certificate business since their product, at its core, is trust. When DigiNotar had a security breach that resulted in fraudulent certificates being issued they were dropped by all major browsers and went bankrupt within a month. So Google’s actions are less severe than some past cases, and have yet to be followed by other major browsers.

Recommendation

If you have a Symantec certificate that needs renewal in the near future I’d recommend switching to another issuer if this hasn’t been sorted out yet. I’ve used DigiCert in the past and find their customer service to be excellent so I can recommend them. If all you need is domain validation, to encrypt all traffic (and get a ranking boost from Google), then Let’s Encrypt is free and suites the purpose.