In an ongoing feud between Google and Symantec, Google labels Symantec’s SSL/TLS certificates as untrusted. Google and Symantec have been battling for years over Symantec’s ability as a CA (certificate authority) and their process of validating their SSL certs.
“…causing us to no longer have confidence in the certificate issuance policies and practices of Symantec…”
Ryan Sleevi, one of Google’s engineers, had quite a few things to say about Symantec’s failure as a CA in Google group forum, and even suggested a short list of steps Google should take to secure its Chrome users. Essentially the list amounted to declaring Symantec’s SSL certs void. In Ryan’s statement he expressed serious concerns over the amount of mis-issued certificates and the fact that the problem seems to be a long standing, and with Symantec doing very little to fix the issues.
Google has had this conversation with Symantec before, which is why the tone of the conversation has taken such a harsh turn. In fact, Google and Symantec have visited this same discussion several times since mid-2015. The positions have been the same each time. Google says, “Fix your validation process and policies.” And Symantec replying, “There is no problem with our practices.”
Unfortunately for Symantec, Google has all the power here. With Google having the bear’s share of the browser market, and the ability to suddenly un-trust Symantec’s SSL certificates, Symantec is at quite a disadvantage. Which brings us to another question; Is Symantec being unfairly targeted?
“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.”
Symantec has always maintained that their certificates follow all the proper procedures and they have taken every possible step to maintain a trusted acceptance with their partners. Symantec continues, they have no more issues than any other CA, and that they are being unfairly picked on by Google.
While the lists of suggestions in Sleevi’s blog post do carry weight, it is unclear if Google will in-fact push them through in future updates to the Chrome browser. If that does happen, there could be a lot of very unhappy site owners.