Google announces plan to distrust Symantec SSL certificates

Google has announced its final decision to distrust Symantec CA Brand SSL certificates—this includes Symantec, RapidSSL, GeoTrust and Thawte.

Google’s first distrust will coincide with the stable release of Chrome 66 the last week of April. This will affect all Symantec SSL certificates issued before June 1, 2016. This will be the biggest group of distrusted certificates both because it will knock out the majority of 2- and 3-year Symantec CA Brand SSL certificates. Also, because by the second distrust, the hope is that most websites will have already re-issued their certificates.

The second distrust will occur with the stable release of Chrome 70 and will distrust all other SSL certificates issued off Symantec CA roots.

Google has requested that Symantec overhaul its entire Public Key Infrastructure. The word infrastructure can be distracting so think of PKI like an ecosystem that consists of interrelated parts that handle various functions like validation, authentication and revocation. A healthy PKI produces trusted digital certificates that are recognized by all the browsers. However, when the browsers lose trust in the PKI – in the processes that form the foundation of a CA’s SSL ecosystem – it makes it difficult to trust the certificates being produced.

This was Google’s gripe with Symantec. While Symantec challenges the number of mis-issued certificates (30,000+ vs. ~30) and argues that they were test certificates and no real-world harm was done, Google and the rest of the browsers hold the position that enough impropriety has occurred to cast doubt on the reliability of Symantec’s PKI.

Symantec’s posturing throughout this episode has done little to curry good will, either.

Google did provide Symantec with a workaround though (a more cynical reading would hold that Google is handing Socrates the hemlock), Symantec can pass validation and issuance duties to a managed CA while it rebuilds its own PKI. Unfortunately, Symantec only has until December 1st to find one. And very few CAs can scale to what Symantec’s customer base is going to need.

Still, it could be a lot worse for Symantec, which has at least been able to save its Extended Validation products. An earlier draft of the plan by Google’s Ryan Sleevi would have stripped the EV indicator from all Symantec CA Brand (Symantec, GeoTrust & Thawte) EV SSL certificates.

Of course, the real loser in this will be Symantec’s customers, who – through no fault of their own – now face an ultimatum to change SSL or have their sites brought down by browser warnings that effectively bar entry.

The second loser will be Symantec’s market share, which seems set to dip following this announcement.

Originally posted on Tue Aug 1, 2017