Google team has been investigating a series of failure by Symantec Corporation to properly validate the certificate. After investigating Google has caught improperly issuing 30,000 Extended Validation(EV)certificate over the past few years.
Google stop accepting the newly issued Symantec-issued certificate to nine months or less period to minimize any impact on chrome users from any misuse.And also issued that Symantec Corporation should revalidate and replaced issued certificates.
Since January 19, Google Chrome Team started its investigation and found that certificate issuance from past several years is not done properly that could cause integrity failure of the TLS system used to authenticate and transmit secure data over the Internet.
A software engineer on the Google Chrome team, Ryan Sleevi made this announcement on Thursday in an Online Forum.
“This is also coupled with a series of failures following the previous set of mis-issued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years,”.
Google Chrome Browser will only trust Symantec certificates issued for nine months (279 days) or less, starting with Chrome 64. Which will be launched in early, 2018.
The proposed schedule is as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
Google believes that by combining these steps, the level of assurance in Symantec-issued certificates is able to match what is expected by Google Chrome and the risks will be minimized from future misuse.
Symantec Response – Google Reports Are Misleading.
Google reports about the issuance of Extended Validation(EV)certificates are misleading and exaggerated responded by the company.
In response –
“We are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible.”
Symantec also said-
“While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs”.
The company also said that they are ready for open to discussion on the matter with Google.