![]() Symantec and other brands it controls - including GeoTrust, VeriSign, and Thawte - account for more than 30 percent, by volume, of the valid certificates currently used on the internet. Google doesn’t trust any of Symantec’s certificates at this point, but it can’t reject them all at once. Existing certificates will be fine for now, but Chrome won’t load sites with year-long or multiyear certificates that are issued after this week by Symantec. Going forward, Chrome will not accept any newly issued certificates from Symantec and its affiliates that have a validity period longer than nine months. For financial institutions that rely on the address bar to show customers their transactions are safe, this change will force them to consider the validity of continuing to use Symantec certificates. Once this change goes in effect, their names will no longer show up in the address bar. ![]() Google is effectively downgrading the higher-class certificates issued by Symantec, for a period of at least a year.Ī spot check of three major banks showed they all use Symantec EV certificates. Since Google doesn’t trust Symantec’s procedures anymore, Chrome will recognize that the site has a certificate, but won’t treat it as EV.įrom the user’s standpoint, that means the name of the domain owner will not appear in green next to the padlock in the browser address bar. EV certificates are supposed to convey the highest assurance of a site’s authenticity because the certificate holder had to undergo a stringent verification process in order to receive a certificate of that level. The latest incident-an investigation into 127 mis-issued certificates-ballooned into “at least 30,000, issued over a period spanning several years,” Ravi Sleevi, a software engineer on the Google Chrome team, wrote on the Blink online forum. As a result, the Chrome developers “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”Įffective immediately, Chrome will stop recognizing Symantec’s Extended Validation certificates. In the past 18 months, Google has tangled repeatedly with Symantec over the way it issues transport layer security (TLS) certificates, with Symantec promising to do better. Google’s Chrome development team is fed up with Symantec as a certificate authority and has announced plans to no longer trust current Symantec certificates. Security teams, network administrators, and operations teams have busy days ahead.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |