Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates. This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less.
The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.
The punishing results of these failures include a reduction in the accepted validity period to nine months or less, an incremental distrust, and a removal of the ‘Extended Validation’ status on Symantec issued certificates.
In a Google post, Ryan Sleevi said: “Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.”
The gradual distrust will mean that eventually all questionable, existing Symantec certificates are replaced by fully revalidated certificates, this will be the goal of reducing the lifespan of a certificate.
Kevin Bocek, Chief Cybersecurity Strategist for Venafi said: “Issues emerging about the trust and validity of Symantec certificates is just one more example of how fragile the system of trust and privacy for Internet is and the reality is that most organizations are not prepared to respond effectively to them.”
Mr. Bocek also outlined his viewpoint on what is required to manage this problem:
“Speed and agility in protecting machines identities – being able to issue, replace, and recover from security incident involving keys and certificates, including CA compromise, is required now more than ever. This is an alarm that can no longer be ignored.”