Google And Symantec Fued Over Net Security
Google has issued a threat to internet security giant Symantec, threatening to downgrade Chrome’s trust of security certificates vetted by the company.
As originally reported by TechCrunch, the two companies have been engaged in a slinging match this week that could have wide-ranging reprecussions for customers of both parties.
Google engineer Ryan Sleevi says that “since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.”
“This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years,” he says.
In an effort to “restore confidence and security of our users” Ryan proposes a reduction in the validity of newly issued Symantec-issued certificates and “an incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.”
Symantec have called Sleevi’s blog post “irresponsible”, saying “at Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.”
They argue that “while all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.”