Google Slams Symantec for Failures in SSL/TLS Certificate Process

  /     /     /  
Publicated : 22/11/2024   Category : security

Google Slams Symantec for Failures in SSL/TLS Certificate Process


Google Chrome engineers railed on Symantec for allegedly issuing thousands of security certificates that had not been properly validated.


Google Chrome engineers this week called out Symantec for failing to properly validate SSL/TLS digital certificates it has issued.
In a scathing 
blog post
, Google Chrome engineers said that since Jan. 19 they have been investigating a series of failures by Symantec Corporation to properly validate certificates and that Googles investigation into 127 Symantec-issued certificates ballooned into at least 30,000.
Symantec fired back in a 
statement
, saying Googles statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading.
According to Google Chromes Root Certificate Policy, root certificate authorities are expected to ensure that server certificates receive domain control validation, frequently audit logs to monitor for any evidence of unauthorized certificate issuance, and guard their infrastructure against the issuance of fraudulent certificates.
On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users, Google said in its post.
Google plans to reduce the validity period of a newly released Symantec-issued certificate to nine months or less, and called for Symantec to gradually revalidate and replace its currently trusted certificates on various Chrome releases. In addition, Google said it intends to remove the recognized Extended Validation status for at least one year on Symantec-issued digital certificates.
These changes will result in compatibility issues, Google warned, which will likely cause problems for users and website operators. Site operators will be forced to use certificates from other companies that have authority to issue certificates and users, as a result, will face a substantial number of errors until operators make the switch to other certificate authorities.  
 

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Google Slams Symantec for Failures in SSL/TLS Certificate Process