Google is displeased with the fact that Symantec has failed to ensure that its partners don’t improperly issue digital certificates, which is why the tech giant has announced its intent to gradually stop trusting all of the company’s existing certificates in Chrome.
Symantec, and particularly some of its subsidiaries and WebTrust audited partners, have been caught by Google and others wrongly issuing certificates. In 2015, Google told Symantec to step up its game after a subsidiary certificate authority (CA) issued unauthorized google.com certificates.
More recently, Symantec’s GeoTrust and Thawte were found to have wrongly issued more than 100 certificates, including for domains such as test.com and example.com.
According to Google software engineer Ryan Sleevi, an investigation revealed that Symantec’s partners misissued at least 30,000 certificates in the past years. These certificates were issued by four organizations: CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.
Symantec has authorized these companies to perform validation for certificate information, but failed to properly audit them, and according to the Baseline Requirements, the cybersecurity giant is liable for any issues. Another problem is that there is no way to distinguish certificates validated by Symantec from certificates validated by the company’s partners, Sleevi said.
“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” Sleevi explained. “The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”