Google Chrome May Start Distrusting Symantec's Certificates


Google has made no secret of its commitment to making the web a more secure place, and their ongoing investigation into possible mishandling and wrongful issuing of web certificates by Symantec has led them to open a discussion about the possibility of severely lowering the level of trust that Chrome puts in Symantec-issued certificates by default. According to Google, Symantec has been giving out certificates, i.e. verifications that a domain is safe to browse and is what it declares itself to be, without properly validating them, resulting in subpar web security for everyone. The Mountain View-based Internet company claims that Symantec has so far wrongfully issued approximately 30,000 certificates.

The proposed timeline for the deprecation of the Symantec-issued certificates gives webmasters and Symantec about nine months from this coming holiday season to clean up their act and issue new certificates. Extended Validation status certificates, however, are set to be deprecated as soon as possible. Around the holiday season, Google plans to put out version 64 of Chrome on the stable channel, and stated that they will cause minimal disruption by waiting out the typical holiday production freeze that many companies experience before halting support on the certificates. This timeline also means that older certificates issued with the obsolete SHA-1 standard will have ample time to disappear before Google drops the hammer, making for as little visible change for webmasters and users as possible. New certificates issued by Symantec during the gradual deprecation are to have no more than nine months of validity, unless something changes in the meantime.

Part of the proposed plan by Google is to give all currently issued Symantec certificates a countdown, a shelf life of sorts, that webmasters using the certificates are to be made aware of. This gives webmasters ample time to obtain new certificates, and provides Symantec with enough time to either tweak existing certificates and prove compliance with Google's security standards, or to make a case with Google as to why their currently issued certificates should be trusted. For their part, Symantec essentially said that Google is blowing things out of proportion, and is irresponsibly causing a panic. Without further objection or cooperation from Symantec, the plan will begin as soon as version 59 of Chrome hits the dev channel.

Share this page

Copyright ©2017 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Senior Staff Writer

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, Voice assistants, AI technology development news in the Android world. Contact him at [email protected]

View Comments