Google's Chromium team claimed Symantec's certificate authority failed to properly validate as many as 30,000 certificates...
over several years and proposed severe penalties for the security software giant.
The Chromium team announced Thursday that, in January, it had begun an investigation into a "series of failures" by the Symantec certificate authority to properly validate its certificates. Google claimed "a continually increasing scope of misissuance" during the course of its investigation revealed at least 30,000 misissued certificates spanning several years.
"This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," wrote Ryan Sleevi, software engineer and tech lead for Chrome's networking security team at Google.
The Chromium team proposed reducing the validity period for any new Symantec certificates to nine months, requiring all Symantec-issued certificates be revalidated and replaced. And the team also proposed removing the Extended Validation status of Symantec-issued certificates for at least one year.
"Root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs," Sleevi wrote.
However, based on the details provided publicly by Symantec, Sleevi wrote, "We do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users."
Symantec responded with a blog post Friday in which it accused Google of singling out the Symantec certificate authority and called Google's actions "irresponsible." Symantec wrote the following in its statement:
Google's statements about our issuance practices and the scope of our past misissuances are exaggerated and misleading. For example, Google's claim that we have misissued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates -- not 30,000 -- were identified as misissued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner's appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.
Evidence cited by Google against the Symantec certificate authority included permitting outside parties access to its infrastructure, failure to oversee certificate-issuance capabilities and, "when presented with evidence of these organizations' failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them," Sleevi wrote. He added that these problems continued over a period of several years "and were trivially identifiable from the information publicly available or that Symantec shared."
While noting that certificates issued by the Symantec certificate authority represented a significant share of "valid certificates by volume," and that untrusting them all at once would impose risks on the community, the Chromium team proposed "a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements."
Google first found irregularities in Symantec's certificate authority operations in 2015, when Google discovered Symantec had issued Extended Validation certificates for domains not owned by Symantec -- including EV certificates for Google-owned domains. EV certificates are the highest level of authentication for linking a corporation or individual with a domain. Google sanctioned Symantec over that incident in 2015, requiring all Symantec certificates be submitted to Certificate Transparency logs starting in June 2016.
However, Symantec was in the spotlight again earlier this year when Andrew Ayer, founder of SSLMate, used Certificate Transparency logs to uncover over 100 additional improperly issued certificates by the Symantec certificate authority. Symantec issued a report on the second incident, in which it stated it had revoked certificate-issuance privileges from its Korean registration authority partner, CrossCert, after improprieties were discovered. In its ensuing investigation, the Chromium team determined that as many as 30,000 certificates had been misissued.
Find out more about how certificate pinning can improve certificate authority security
Learn more about using the Let's Encrypt open certificate authority in the enterprise
Read about how to acquire digital certificates