Plan to distrust Symantec website certificates released, which is no longer its concern
- Google's Chrome team this week released its formal plan to distrust Symantec's website security and certificate products, the company said. Over the past several years, the Chrome team had lost confidence in Symantec's infrastructure because of a pattern of concerns around how the company issued security certificates.
- In investigations which began earlier this year, the Chrome team found numerous Symantec-issued certificates did not comply with baseline industry-developed standards. The security company had tapped several organizations to issue certificates but they lacked oversight, which resulted in "security deficiencies," according to Google.
- Beginning with Chrome 66, which will debut to Chrome Beta users in March 2018, Chrome will remove trust for Symantec certificates issued prior to June 1, 2016, according to the plan. By December 1, once Symantec transitions its certificate business over to DigiCert infrastructure, certificates issued from older Symantec infrastructure will not be trusted. Symantec could not be reached for comment prior to publication.
Google officially downgraded trust in Symantec certificates in March, which the security company called "exaggerated and misleading." The move negatively impacted the security firm's reputation during a time when it was trying to regain traction in the market. Large, legacy security firms have had to navigate a changing security landscape, while competing against emerging vendors that can target the market in more agile ways.
But the website certificate business is no longer Symantec's concern. In August, the company reached an agreement with DigiCert to sell its website security and PKI solutions business for $950 million.
So while Google has a formal plan in place, which would permit the security firm ample time to modernize its infrastructure and meet industry standards, web certificates are no longer Symantec's concern. Instead, DigiCert's new "managed partner infrastructure" will be able to issue trusted certificates, according to the announcement.
Companies are placing more emphasis on end-to-end, ensuring everything from websites to back-end infrastructure is locked down. When an organization like Google downgrades trust in an organization's product, it is sure to cause ripple effects across product lines and impact a firm's reputation long term.
Google has pushed for more companies to move toward HTTPS protocol, displaying an icon in Chrome when a site cannot be trusted. HTTP can leave websites vulnerable to eavesdropping and content manipulation, vulnerabilities eliminated with the transition over to the more secure HTTPS.
As of March, more than half of all websites support HTTPS, but leading vendors are pushing for more websites to make the transition. To do that, customers have to ensure security certificates issued by vendors are trushworthy.
Follow Naomi Eide on Twitter