Google Chrome May Start Distrusting Symantec’s Certificates

March 28, 2017 - Written By Daniel Fuller

Google has made no secret of its commitment to making the web a more secure place, and their ongoing investigation into possible mishandling and wrongful issuing of web certificates by Symantec has led them to open a discussion about the possibility of severely lowering the level of trust that Chrome puts in Symantec-issued certificates by default. According to Google, Symantec has been giving out certificates, i.e. verifications that a domain is safe to browse and is what it declares itself to be, without properly validating them, resulting in subpar web security for everyone. The Mountain View-based Internet company claims that Symantec has so far wrongfully issued approximately 30,000 certificates.

The proposed timeline for the deprecation of the Symantec-issued certificates gives webmasters and Symantec about nine months from this coming holiday season to clean up their act and issue new certificates. Extended Validation status certificates, however, are set to be deprecated as soon as possible. Around the holiday season, Google plans to put out version 64 of Chrome on the stable channel, and stated that they will cause minimal disruption by waiting out the typical holiday production freeze that many companies experience before halting support on the certificates. This timeline also means that older certificates issued with the obsolete SHA-1 standard will have ample time to disappear before Google drops the hammer, making for as little visible change for webmasters and users as possible. New certificates issued by Symantec during the gradual deprecation are to have no more than nine months of validity, unless something changes in the meantime.

Part of the proposed plan by Google is to give all currently issued Symantec certificates a countdown, a shelf life of sorts, that webmasters using the certificates are to be made aware of. This gives webmasters ample time to obtain new certificates, and provides Symantec with enough time to either tweak existing certificates and prove compliance with Google’s security standards, or to make a case with Google as to why their currently issued certificates should be trusted. For their part, Symantec essentially said that Google is blowing things out of proportion, and is irresponsibly causing a panic. Without further objection or cooperation from Symantec, the plan will begin as soon as version 59 of Chrome hits the dev channel.