Google has announced that it is downgrading the level of trust that it has in Symantec certificates following an investigation that revealed ‘a continually increasing scope of misissuance’ by Symantec which has exposed users to significant dangers. Up to 30,000 certificates have been found to be problematic since the investigation began.
As a result, by early 2018, Chrome 64 will only trust Symantec certificates that have been issued for 279 days or less. Plus, Google has also proposed removing Symantec’s Extended Validation status for at least one year, meaning that all existing valid certificates issued by Symantec would need to be reissued. Kevin Bocek, Chief Cybersecurity Strategist at Venafi commented below.
Kevin Bocek, Chief Cybersecurity Strategist at Venafi:
This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS – quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this.
Google is the half-ton gorilla on this issue. It is likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies of these questionable Symantec certificates because they turn on padlocks that let users know their transactions are secure.
Solving this problem will be a massive challenge for businesses and governments. We know this because recent similar events illustrate how difficult most organisations find this process. The US federal government was given 18 months to install certificates on all web servers and failed. One year after Heartbleed, over half of ‘global 2000’ businesses still couldn’t fully remediate Heartbleed by changing out keys.
Speed and agility in protecting machine identities – being able to issue, replace, and recover from security incident involving keys and certificates, including CA compromise, is required now more than ever. This is an alarm that can no longer be ignored.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.