Risk & Repeat: Symantec offers plan to restore certificate trust

Symantec proposed massive changes to its certificate authority business, but the changes may not be enough to restore certificate trust in the eyes of the world's biggest web browser companies.

After a lengthy back and forth with Mozilla and Google regarding issues discovered with its certificates, Symantec recently offered a wide-ranging plan to address the issues. Google sparked the feud in March, when the Chrome developer team posted a report on a "series of failures" within Symantec's certificate authority, and proposed deprecating and reducing certificate trust for the antivirus vendor.

Symantec initially chastised Google for going public with its findings, and accused the search engine giant of singling it out. However, after Mozilla joined the discussion and expressed concern over extensive problems with Symantec's certificate authority practices, Symantec relented, and offered an extensive, 11-point plan to address concerns raised by the two web browser companies.

"Even though our past mis-issuance events have not, to our knowledge, resulted in customer harm, we consider compliance with industry standards a critical responsibility of our CA business," Symantec wrote in a blog post. "We believe our multifaceted proposal addresses the concerns regarding the trustworthiness of Symantec's past and future SSL/TLS certificate issuances."

But some aren't convinced Symantec's proposal will be enough to restore certificate authority trust. In this week's episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss the latest chapter in the ongoing dispute over Symantec certificates.