zentilia - Fotolia

Symantec asks browser makers to distrust one of its root certificates

Symantec announced it will retire one of its root certificates because it was based on older security, and Google made sure users knew the risks.

Symantec Corp. has discontinued the use of the VeriSign G1 roots for issuance of public Transport Layer Security and Secure Sockets Layer certificates, as well as code signing certificates, in order to update the root certificate for more modern security. And the vendor has asked browser makers to distrust the certificate as a result.

According to Symantec, the decision came from a routine evaluation of its root certificates. The certificate in question was based on older, lower strength security -- Secure Hash Algorithm 1 (SHA-1) and 1024-bit encryption -- that is no longer recommended under industry best practices, based on certificate authority consortium CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates. And Symantec claimed it is not being used on the public Internet, so it does not pose a risk.

However, Google announced that it would move to distrust the root certificate because it "represents an unacceptable risk to users of Google products."

"As this root certificate will no longer adhere to the CA/Browser Forum's Baseline Requirements, Google is no longer able to ensure that the root certificate, or certificates issued from this root certificate, will not be used to intercept, disrupt or impersonate the secure communication of Google's products or users," Ryan Sleevi, software engineer at Google, wrote in a blog post. "As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google's users, they have requested that Google take preventative action by removing and distrusting this root certificate."

Noah Edwardsen, senior manager of corporate communications for Symantec, said this root hasn't been used to generate new certificates in years.

"In keeping with industry standards and best practices, Symantec notified major browsers in November -- including Google -- that they should remove or untrust a legacy root certificate from their lists, called the VeriSign Class 3 Public Primary Certification Authority G1," Edwardsen said in a statement to SearchSecurity. "We advised this action because this particular root certificate is based on older, lower strength security that is no longer recommended, hasn't been used to generate new certificates in several years and will now be repurposed to provide transition support for some of our enterprise customers' legacy, nonpublic applications."

Edwardsen added that by announcing that it will be blocking this root certificate, Google is doing exactly as Symantec requested.

Other browsers, including Mozilla Firefox, had dropped support for the certificate in 2014. And Google announced in September 2014 that it would begin sunsetting certificates that use SHA-1. Reports claimed that SHA-1 could be undermined very soon.

As of publication, Google had not responded to requests for comment.

Next Steps

Learn why you need root certificates

Learn about SHA-2 and the future of enterprise application security

Learn if enterprises should use open certificate authorities

Dig Deeper on Web browser security