Last year, the developers behind Google’s Chrome browser began taking steps designed to protect users and encourage companies to use HTTPS.
But now, potentially millions of websites that use SSL certificates issued by Symantec and affiliated resellers could find that their certificates are effectively worthless as far as Chrome is concerned, after a member of the Chrome team published a proposal that would make them untrusted over the next 12 months.
The reason? According to the Google Chrome team, Symantec has not properly validated thousands of certificates. In fact, the Chrome team claims that “an initial set of reportedly 127 [misissued] certificates has expanded to include at least 30,000 [misissued] certificates, issued over a period spanning several years.”
Ryan Sleevi, the Chrome team member who wrote the announcement, elaborated,
“This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
Under the proposal he put forth, the accepted validity period of newly-issued Symantec to nine months or less, and an “incremental distrust” of currently-trusted certificates and removal of recognition of Extended Validation status of Symantec-issued certificates.
A nightmare scenario?
Symantec is the currently the largest Certificate Authority (CA) and by some estimates, has issued a third of the SSL certificates in use on the web.
So if the Google Chrome team moves forward with its proposal, it will have a huge impact on Symantec and its customers. Symantec would have to reissue potentially millions of certificates, creating a huge headache for customers, who would have to go through the validation process and install replacement certificates.
What’s more, under the Chrome team’s proposal, Chrome would immediately remove the status indicators for Extended Validation certificates issued by Symantec.
These certificates, which require companies to provide greater verification that they are who they say they are, are often used by companies running websites that absolutely need to use HTTPS, such as those that handle payments and financial transactions.
Extended Validation certificates are more costly, and one of the justifications for the greater cost is the fact that most browsers display indicators for websites that use them. If those indicators go away, it could theoretically harm companies that have relied on these indicators to signal trust to their users.
Not surprisingly, given the gravity of the situation, Symantec is disputing the Chrome team’s claims about certificate misissuances. In a response, it called the Chrome team’s proposal “irresponsible” and said the allegations leveled at it are “exaggerated and misleading.”
Symantec is open to working with the Google Chrome team and while it’s reasonable to hope that both parties will identify a satisfactory resolution that averts disruption, companies with certificates issued by Symantec will want to monitor the situation as it develops.