Facing potentially costly and disruptive measures from Google's proposed plan to deprecate and remove trust in...
its certificates, Symantec posted a counter-proposal that it claims will balance the needs of all affected parties.
In January, security researcher Andrew Ayer discovered about 100 improperly issued certificates traced to the Symantec certificate authority. In March, the Google Chrome announced that an investigation into the Symantec certificate authority business revealed a "series of failures" and proposed a plan that included reducing the validity period for any new Symantec certificates to nine months, revalidating and replacing all Symantec-issued certificates, and removing the Extended Validation status of Symantec-issued certificates for at least one year.
Symantec, however, pushed back and argued that Google had singled out Symantec and suggested the search giant was trying to create "uncertainty and doubt" about Symantec's certificates. But the pressure on Symantec mounted when Mozilla joined the fray and highlighted its own concerns with the Symantec certificate authority. The antivirus company eventually proposed its own solutions to the issues raised by Google and Mozilla.
Symantec's proposal "addresses the concerns raised by Google about our CA business without imposing undue business disruption on our customers and Chrome users that we believe would result if Google implements its proposal," said Roxane Divol, executive vice president and general manager for Symantec Website Security, in a statement provided to SearchSecurity.
"Even though our past mis-issuance events have not, to our knowledge, resulted in customer harm, we consider compliance with industry standards a critical responsibility of our CA business," Symantec announced in its blog post detailing the plan for the Symantec certificate authority. "We believe our multi-faceted proposal addresses the concerns regarding the trustworthiness of Symantec's past and future SSL/TLS certificate issuances."
The Symantec certificate authority proposal aims to increase transparency through more frequent and expanded audits, publication of a quarterly letter updating the community on progress Symantec CA is making, and working together with the CA/Browser Forum to develop or update guidelines for handling customer requests that conflict with CA/Browser Forum baseline requirements.
Symantec also proposed to offer optional shorter validity certificates; domain revalidation for certificates with validity period longer than nine months; "further increasing our investment in the Security and Risk function of our CA operations, with a focus on our security and compliance controls and risk assessments;" update its Root Program to reflect appropriate use-cases for different types of certificates; and use Symantec's Global Intelligence Network "to identify encrypted websites that have an increased threat risk based on our rating categorization and take appropriate action to mitigate risk for our certificates associated with such sites."
Symantec noted in its blog post that it sought feedback from its customers, who include "many of the largest financial services, critical infrastructure, retail and healthcare organizations in the world, as well as many government agencies."
Symantec certificate authority practices have come under increased scrutiny since 2015 when Google discovered that Symantec had issued test certificates for domains it did not own -- including Google domains. As a result, Google required Symantec certificates be entered into Certificate Transparency logs as well as additional third-party audits for Symantec certificate authorities.
Rejected option for Symantec certificate authority?
Ryan Sleevi, software engineer and tech lead for Chrome's networking security team at Google, provided some additional context to the Symantec certificate authority proposal on the Mozilla developer security policy forum.
Tyrel M. McQueen, associate professor of chemistry at Johns Hopkins University
Sleevi wrote that "the Chrome team met with Symantec's leadership to personally discuss and explain the issues and concerns raised, despite having been in communication with Symantec over these issues for months. As the number of issues that Symantec has had was so great, we were unable to provide our perspective of the many failures and the concerns that they signaled, and thus, a second meeting was scheduled."
In his post, Sleevi shared information about the discussions held over the previous two weeks between Symantec and Google -- including offering Symantec an "easy out" option to stay in the certificate authority business by effectively turning over Symantec certificate authority operations over to one or more existing CA.
Some browser community members expressed concern over the possibility that the Symantec certificate authority might avoid serious consequences for its pattern of past actions.
"I am quite disappointed by Symantec's proposed remediation plan. Intentional or not, [this] response seems to indicate they don't really understand the potential consequences of many of their past actions," wrote Tyrel M. McQueen, associate professor of chemistry at Johns Hopkins University, who commented on the proposal from Symantec on the Mozilla developer security policy forum in his capacity as a private citizen.
While noting Symantec's proposal was "no doubt appealing to Symantec and its customers," McQueen wrote that it does "not address the significant relying party risks introduced by [Symantec's] past actions, including allowing various third parties carte blanche to issue certs chaining to publicly trusted roots without meaningful oversight."
McQueen pointed out that no one, including Symantec, "has a full view of all the past actions (e.g. cross-signs, creation of unconstrained CAs, etc.) under their existing roots; and the scope of issues here are more serious than other cases that have led to full dis-trust under Mozilla's program."
Richard Wang, former CEO of WoSign, the Chinese certificate authority that was dropped from Mozilla's list of trusted certificate issuers last year, joined the policy list conversation to support Symantec's proposal. He wrote "it is disastrous for [a] CA and its customers to replace the certificate[s] that exceed[s] your imagination," and added that WoSign is still working on cleaning up the certificate mess nearly six months later.
"Due to the quantity of Symantec customers is more than WoSign and most companies are bigger than WoSign's customers, I am sure that the interoperability and compatibility failures could bring big problem to Symantec, to Symantec customers and the Browser users," Wang wrote, adding "I think Symantec's proposal is good and will benefit its customers that it will not make the world mess."
Find out about how Certificate Transparency prevents certificate abuse
Learn about managing certificate authority risks
Read about how TLS 1.3 helps certificate authorities