Symantec deserves a certificate for shouting about Google
Google’s Chrome browser is going to stop accepting security certificates from Symantec. This is a big deal: for a browser to recognize a site as secure, it has to accept that site’s certificate, and more than 30% of all sites use Symantec certificates. Google announced this is a direct but technical way, then Symantec responded with exaggerated whining and chest-beating.
Because the technical communication here is pretty hard for a non-geek to fully comprehend, here’s an explanation from Ars Technica:
Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities [or CAs], Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.
More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs.
A Google engineer announced its decision in a technical channel
Let’s take a look at the actual communication from the companies involved. Google has a blog for Chrome, but there’s no announcement there. The news became public in a post by Ryan Sleevi, a Google staff software engineer, on a Google developer forum. Here’s the relevant part (passive voice highlighted):
Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years. To restore confidence and security of our users, we propose the following steps:
- A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
- An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
- Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.
As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.
On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.
These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.
The full disclosure of these issues has taken more than a month. Symantec has failed to provide timely updates to the community regarding these issues. Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned. The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.
As you might expect from an engineer describing a technical problem, this uses plenty of jargon. Passive voice is also typical of technical communications from engineers, because they describe things that have to happen without identifying who or what is doing them. Despite these flaws, this communication is remarkable for its directness, given that it involves a dispute between large companies. Sleevi describes Symantec’s actions as “failures . . . to properly validate certificates” and accuses Symantec directly of issuing certificates without proper security. He also cites a number — 30,000 certificates. There are more facts than weasel words (you could argue that “properly” and “timely” are weasel words, but Sleevi provides definitions to clarify).
The general message is, as it should be, “We have rules about security and Symantec has not followed them, so we will be incrementally reducing our trust in their certificates.
Symantec’s response sounds aggrieved and weaselly
Symantec fights facts with emotion. Here’s the response on its blog, with weasel words highlighted:
Symantec Backs Its CA
Created 24 Mar 2017
At Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.
Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.
While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.
We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet. Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers. Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.
We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates. Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.
We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.
This is far less convincing, and it’s the weasel words that are at fault. Symantec objects “strongly,” has taken “extensive” remediation measure, and maintains “extensive” controls so it can “strengthen” practices — and it will “vigorously” defend the Internet. These words are meaningless, and taken together, make this read as an emotional response to a technical problem.
It doesn’t help that they’ve thrown in “other people do it, too” and “we do encryption, not just security,” which are not germane to the main question of whether it’s prudent to trust Symantec certificates.
It’s possible to explain difficult technical and security issues without resorting to jargon and weasel words — take a look at Tim Cook’s masterful crisis communication, for example. Explain clearly, stick to the facts, and avoid emotional statements. I’m in no position to determine who’s right in this debate, but when it comes to communication, Symantec is getting it wrong.