View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Symantec dealt major blow as Google loses trust in security certificates

Google and Symantec are going through a rough patch.

By Tom Ball

Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates. This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less.

The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.

The punishing results of these failures include a reduction in the accepted validity period to nine months or less, an incremental distrust, and a removal of the ‘Extended Validation’ status on Symantec issued certificates.

In a Google post, Ryan Sleevi said: “Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.”

SymantecThe gradual distrust will mean that eventually all questionable, existing Symantec certificates are replaced by fully revalidated certificates, this will be the goal of reducing the lifespan of a certificate.

Kevin Bocek, Chief Cybersecurity Strategist for Venafi said: “Issues emerging about the trust and validity of Symantec certificates is just one more example of how fragile the system of trust and privacy for Internet is and the reality is that most organizations are not prepared to respond effectively to them.”

         READ MORE: AT&T, IBM, Nokia, Symantec launch IoT Cybersecurity Alliance

Mr. Bocek also outlined his viewpoint on what is required to manage this problem:

Content from our partners
How designers are leveraging tech to apply the brakes to fast fashion
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate

“Speed and agility in protecting machines identities – being able to issue, replace, and recover from security incident involving keys and certificates, including CA compromise, is required now more than ever. This is an alarm that can no longer be ignored.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU