Google Bans Symantec Root Certificates

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.

Totally over-stated summary

[ttucker]

From TFA:

As Symantec is unwilling to specify the new purposes for these certificates, and as they are aware of the risk to Google’s users, they have requested that Google take preventative action by removing and distrusting this root certificate.

Later in TFA:

Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal.

Symantec is retiring the certificate, and has asked for it to be removed from Google (and probably other) products. End of story. Nobody should be affected.

Re:Totally over-stated summary

[jbmartin6]

It didn't sound like they are retiring it, they just wouldn't say what they were doing with it and requested the removal. Which I guess is sort of like a retirement, but implies they will continue to use it for some unstated purpose. Almost as if some agency were forcing them to misuse it and they are skirting some legal requirement by asking others to stop trusting it. But that is 100% speculation on my part.

Re: Totally over-stated summary

It is a really lousy summary. This is the G1 class 3 root CA VeriSign issued in 1996! If I remember correctly, it's a 1024 bit RSA root, and it hasn't been used in production in 5+ years. Removing it permanently from being trusted will doubtless break a few ancient systems that haven't been updated in forever, but it's the right thing to do. Not a sign of anything more than obsolescence.

Re:We need SSL/TLS infrastructure written in Rust.

[binarylarry]

Yep, we really need to rewrite our entire infrastructure in your favorite language platform flavor of the month.

Just to be secure. Think of the children.

Re:We need SSL/TLS infrastructure written in Rust.

[tshawkins]

99% of tbe infrastructure of the internet is written in c/c++, every OS, most of the webservers, all of the dns infrastructure, most mail mta's, most routers,. It would be infeasable to perform a complete rewrite.

egregious misrepresentation

I would say that Symantec issuing Certs with Google's name on them would qualify as egregious misrepresentation, on the behalf of Symantec, and be grounds to suing symmantec into oblivion by Google.

Really, perhaps that's a better response for Google.

It could even fall under the context of identity theft and grounds for criminal charges to be filed; another good response and not exclusive of a civil lawsuit based from Google.

Re:thats racist!!!

[TechyImmigrant]

The summary tried as hard as possible to imply that this was some acrimonious thing, but it is not.

Symantec asked Google to distrust a specific CA root, end of story. Nobody affected in any way, except maybe people who do not install updates.

Having spoken with some of the people involved, it certainly was an acrimonious thing.

You would be pissed too if a big CA was signing forged certs of your web site's identity to someone else.