Google put its foot down and made it sharply clear that it will no longer tolerate Symantec's mistakes when handling security certificates.
Symantec's sloppy behavior, which allowed the security company to issue faulty Web certificates, has to stop, Google pointed out. With this in mind, Google drafted a list of guidelines and requests that should prevent such problems from occurring again.
"Employee error", Symantec said, is the reason why a number of released certificates left the security firm without the blessing of either Google or Symantec. This happened in September and was a risky liability that allowed hackers to easily impersonate Google pages that are under HTTPS protection. After an internal investigation found those responsible for the security flaw, Symantec fired a number of its employees.
If such problems become recurrent, the risk for Internet surfers rises and may involve data theft, session hijacking, and even remote surveillance. The recent unveiling of additional faux certificates makes it clear that the problem was larger than anticipated.
Symantec recently addressed a similar issue in a statement and pointed out that the Extended Validation (EV) pre-certificates were closed down the second that the security firm got word of the problem. It further stated that the short-lived pre-certificates did not endanger any of the people who used Google's search page for the duration of their existence.
A full report describing the issue showed that 23 other test certificates were sent out without clearance, and this made Opera, Google and other three brands vulnerable. In-depth mining led to the discovery of 164 new certificates belonging to 76 established domains, alongside 2,458 certificates for domains that remain unregistered.
Google software developer Ryan Sleevi underlined that his company detected even more troublesome certificates in a very short amount of time. It is apparent that the number of fraudulent certificated issued by Symantec is huge, reaching a few thousands.
To prevent any similar problems in the future, Google demands that Symantec implements Certificate Transparency on all certificates that it releases. If Symantec does not comply, Google Chrome will alert its users that the web pages deemed secure by Symantec are unsafe.
The deadline for Symantec to implement these changes to its certificates is June 1, 2016.
Starting June 2, 2016, HTTPS websites that use Symantec's certificates and are unaligned with Google's request will feature warnings about the unsafe content of the page. This could mean a huge blow to the security company's reputation and, ultimately, to its market value.
Google expects Symantec to undergo a third-party audit and initiate a Point-in-time Readiness Assessment, bound to verify Symantec's compliance to these quality guidelines:
- WebTrust Principles and Criteria for Certification Authorities
- WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security
- WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL
The search engine giant further asked Symantec to explain what steps it will implement to make sure that such vulnerabilities are avoided for good.