30,000 or 127 - Does it matter?

 

Last week Google announced it was now distrusting some TLS certificates issued by Symantec citing the validity of at least 30,000 certificates issued by Symantec partners over several years.

Whilst there has been no comment from Microsoft, Mozilla has indicated it is considering repercussions. Some online commentators applauded the Google Chrome team for doing the right thing in publicising their findings, on the basis that Symantec’s practices could cause a breakdown of trust in the CA framework, if not fixed.

Symantec have responded and admitted the company had mis-issued 127 certificates, but the figure of 30,000 was not true and misleading. No harm had been done.

Google has outlined three possible options to address the issue they perceive exists

  • A reduction in the accepted validity period of newly issued Symantec certificates to nine months or less, in order to minimize any possible future impact to Google Chrome users.
  • Removal of the Extended Validation (EV) status from Symantec issued certificates - 1 year minimum, until “the community” are satisfied Symantec have addressed the shortcomings in their practices and procedures.
  • Trusted Symantec certificates in use be revalidated and replaced to address an incremental distrust across a series of Google Chrome releases.  

Minor inconvenience or should a Symantec customer be concerned?

If a Symantec certificate is older than the validity period listed then Chrome will stop trusting it. The current recommendation is that you renew the certificate.

Extended Validation (EV) means the browser can confidently show the owner of a HTTPS-secured website next to the green padlock in the address bar. So websites that have paid for EV type Symantec Certificates won't be able to show this feature in Chrome. The current recommendation is that you renew the certificate.

These two outcomes are not catastrophic but certainly inconvenient. More serious is the fact that an erosion of confidence in the practises of a major provider of certificates taints the SSL/TLS certificate business and Certificate Authorities, regardless of the numbers involved.  This occurs at a time when the industry is pushing SSL/TLS certificate installations to ensure we enjoy safe encrypted Web sessions for site visits and site administration.

To obtain a copy of the Entrust e-Guide – SSL Best Practices contact Sameer.shaikh@mpa.co.nz