Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bans Symantec Root Certificates

Posted by timothy on from the more-than-a-slap-on-the-wrist dept.

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.

3 of 84 comments (clear)

  1. Totally over-stated summary by ttucker · · Score: 4, Informative

    From TFA:

    As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.

    Later in TFA:

    Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal.

    Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products. End of story. Nobody should be affected.

    1. Re: Totally over-stated summary by Anonymous Coward · · Score: 4, Informative

      It is a really lousy summary. This is the G1 class 3 root CA VeriSign issued in 1996! If I remember correctly, it's a 1024 bit RSA root, and it hasn't been used in production in 5+ years. Removing it permanently from being trusted will doubtless break a few ancient systems that haven't been updated in forever, but it's the right thing to do. Not a sign of anything more than obsolescence.

  2. Re:We need SSL/TLS infrastructure written in Rust. by tshawkins · · Score: 3, Informative

    99% of tbe infrastructure of the internet is written in c/c++, every OS, most of the webservers, all of the dns infrastructure, most mail mta's, most routers,. It would be infeasable to perform a complete rewrite.