Google has announced a plan to punish Symantec by gradually distrusting its SSL certificates. The move comes after Google says it caught Symantec issuing more than 30,000 “improper” Extended Validation (EV) certificates. Symantec issues more than 30% of the web’s certificates.
The plan was announced in this blog post from Ryan Sleeve Google software engineer on the Google Chrome team.
Extended Validation certificates are intended to give the highest level of authentication. Before issuing a certificate, the Certificate Authority must conduct a detailed investigation confirming the requesting entity’s legal existence and identity.
The punishment takes the following steps, starting with a downgrade of Symantec-issued EV certificates:
1. EV certificates issued by Symantec till today will be downgraded to less-secure domain-validated certs, which means Chrome browser will immediately stop displaying the name of the validated domain name holder in the address bar for a period of at least a year.
2. To limit the risk of any further misissuance, all newly-issued certificates must have validity periods of no greater than nine months (effective from Chrome 61 release) to be trusted in Google Chrome.
3. Google proposes an incremental distrust, by gradually reducing the “maximum age” of Symantec certificates over the course of several Chrome releases, requiring them to be reissued and revalidated.
This could mean that many users will will get warnings from Chrome that sites are insecure and may block access. Should sites with Symantec EV certs be concerned about the changes?
A Symantec statement says don’t worry: “Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time.”