Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bans Symantec Root Certificates

Posted by timothy on from the more-than-a-slap-on-the-wrist dept.

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.

3 of 84 comments (clear)

  1. egregious misrepresentation by Anonymous Coward · · Score: 5, Interesting

    I would say that Symantec issuing Certs with Google's name on them would qualify as egregious misrepresentation, on the behalf of Symantec, and be grounds to suing symmantec into oblivion by Google.

    Really, perhaps that's a better response for Google.

    It could even fall under the context of identity theft and grounds for criminal charges to be filed; another good response and not exclusive of a civil lawsuit based from Google.

  2. Re:Totally over-stated summary by jbmartin6 · · Score: 4, Interesting

    It didn't sound like they are retiring it, they just wouldn't say what they were doing with it and requested the removal. Which I guess is sort of like a retirement, but implies they will continue to use it for some unstated purpose. Almost as if some agency were forcing them to misuse it and they are skirting some legal requirement by asking others to stop trusting it. But that is 100% speculation on my part.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  3. Re:thats racist!!! by TechyImmigrant · · Score: 5, Interesting

    The summary tried as hard as possible to imply that this was some acrimonious thing, but it is not.

    Symantec asked Google to distrust a specific CA root, end of story. Nobody affected in any way, except maybe people who do not install updates.

    Having spoken with some of the people involved, it certainly was an acrimonious thing.

    You would be pissed too if a big CA was signing forged certs of your web site's identity to someone else.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.