Google Bans Symantec Root Certificates

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.

Re:We need SSL/TLS infrastructure written in Rust.

[binarylarry]

Yep, we really need to rewrite our entire infrastructure in your favorite language platform flavor of the month.

Just to be secure. Think of the children.

egregious misrepresentation

I would say that Symantec issuing Certs with Google's name on them would qualify as egregious misrepresentation, on the behalf of Symantec, and be grounds to suing symmantec into oblivion by Google.

Really, perhaps that's a better response for Google.

It could even fall under the context of identity theft and grounds for criminal charges to be filed; another good response and not exclusive of a civil lawsuit based from Google.

Re:thats racist!!!

[TechyImmigrant]

The summary tried as hard as possible to imply that this was some acrimonious thing, but it is not.

Symantec asked Google to distrust a specific CA root, end of story. Nobody affected in any way, except maybe people who do not install updates.

Having spoken with some of the people involved, it certainly was an acrimonious thing.

You would be pissed too if a big CA was signing forged certs of your web site's identity to someone else.