Google squeezes Symantec until it certs

Google squeezes Symantec until it certs

Beginning with Chrome 66, Google will remove trust for Symantec-issued certificates issued before June 1, 2016

Google has finalised a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world's most popular browser.

"Companies are staring down the barrel of a boat load of work," said David Anthony Mahdi, a research director at Gartner, and the industry research firm's resident expert on digital certificates and the CAs (certificate authorities) that issue them. "This is massive."

Beginning with Chrome 66, currently set to show up the third week of April next year, Google will "remove trust in Symantec-issued certificates issued prior to June 1, 2016," wrote three members of the browser's security team, in a post to a company blog.

"If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome."

A follow-up version of Chrome, slated for debut a little more than a year from now, will untrust every Symantec certificate, no matter when it was issued.

When Google removes trust from the certificates, users will begin seeing messages, some explicit, others subtler, informing them that the connection between them and the website is insecure.

During the year-long process that Google laid out this week, it will gradually untrust any certificate that chains to roots maintained by Symantec, including those issued by the brand-named CAs (certificate authorities) Symantec has swallowed over the years, like Equifax, GeoTrust, and, of course, VeriSign.

Here's the Google untrust calendar

Google's schedule looks like this:

Oct. 22-28, 2017: Google will release Chrome 62, which adds a new feature under the "Developer Tools" menu item (under the "View/Developer" menu) that shows affected certificates.

December 2017: DigiCert, which plans to buy Symantec's certificate business for nearly US$1 billion, is supposed to have a new "Managed Partner Infrastructure" up and running this month, and be able to issue replacement certificates for those Chrome will untrust in 2018.

April 15-21, 2018: All Symantec-issued certificates obtained before June 1, 2016, will be marked as untrusted by Chrome 66, which will release during the week.

October 21-27, 2018: All certificates that chain to Symantec's pre-December 2017 rooted infrastructure will be untrusted by Chrome 70, slated to release this week.

Google vs. Symantec

The dispute between Google and Symantec that led to the former punishing the latter using Chrome as a club, has been months, years even, in the making.

First in 2015, then much more emphatically in early 2017, Google (and other browser developers, notably Mozilla) charged that Symantec and its partners were improperly issuing certificates, violating the rule set by the CA/Browser Forum, a standards groups whose members include browser makers and certificate authorities.

Google decided that Symantec's problems were endemic, and that the accumulating incidents were proof that the CA could not be trusted to issue the certificates that were, in fact, the basis of trustworthiness on the Web - proving that, say, a website is what it claims to be, and not a fake that would steal users' money or credentials or data.

That Google was able to force Symantec to comply with its demands, and then in early August actually sell its CA business to Utah-based DigiCert - withdrawing from the industry altogether -  speaks to the power of the search giant, notably its Chrome browser.

"Clearly, Google is very, very powerful," said Mahdi.

In this case, Google's power, "leverage" may be a better word, comes from the dominance of Chrome.

According to metrics vendor Net Applications, Google accounted for nearly 60 per cent of the world's browser user share, an estimate of the portion of the globe's personal computers that used Chrome to reach sites during August.

Chrome's command of the browser market has been a relatively recent phenomenon: Google only passed Microsoft as the planet's most popular browser maker in May 2016.

If Google decided to untrust all Symantec certificates, site operators would have no choice but to replace those certificates.

If they did not, they would risk losing a landslide majority of potential customers, who would be motivated to patronise rivals' websites secured by other CA certs. Notably, financial firms would face a hurricane of customer complaints when they were told to drop Chrome and pick another browser.

While Mozilla has raised similar complaints, Firefox's maker would almost certainly not have been able to pressure Symantec to radically change its CA practices and processes, simply because of that browser's place.

In August, for instance, Net Applications pegged Firefox as having a global user share of just 12 per cent, a fifth of Chrome's.

What now?

Although companies are staring at calendar dates as close as next spring, there is no clear direction yet from either Symantec or its successor, DigiCert, on the process of replacing the soon-to-be-untrusted certificates.

Gartner's Mahdi pointed out that he was in the dark as much as Symantec's CA customers, even after speaking with executives from both that firm and DigiCert.

"How are the certificates going to be migrated? What's the pricing going to look like?" Mahdi asked, citing unanswered questions that Gartner's clients have posed to him. "What clients want is a game plan."

Which they don't really have. Not yet.

Mahdi's advice at this point? Prepare, as one would when site certificates come up for renewal.

"There are a lot of options," he said. "If you're a current Symantec customer, get a game plan from them as soon as they have one. Ask what kind of incentive they'll give to get you to stay.

"But there are competitors out there, such as Entrust, GlobalSign and Comodo. Certificates are a fairly commoditided market. People usually select [a vendor] based on price, brand and support.

"Look at least three providers, just as you would at renewal time."

This article originally appeared on Computerworld.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googlesymantecchrome



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments