THE BIG IDEA: Google says Chrome will no longer trust Symantec certificates

LeoWolfert
LeoWolfert

big-idea-logo.jpg

As you have heard us talk about on our regular #TechTuesday column, cybersecurity should be a top priority. While it is considered something of a hassle with consumers, corporations are trying to strong-arm their customers to be smarter and safer online.

And that, in this humble blogger’s opinion, is not a bad thing.

Some companies are getting pretty tough about it, and we’re beginning to see the effects of those ground rules. Take Google as an example. In 2012, Google rolled out a program called Certificate Transparency, a system to spot corrupt “Certificate Authorities” and locate entities who hand out cryptographic certificates that really aren’t that good. What does that mean? These certificates (that you might receive warning about from time to time, depending on where you surf the Internet) are a key part of security on the web. Google’s Certificate Transparency uses an append-only, distributed ledger, similar to the Bitcoin ledger. This unique identification system is only used by Chrome browsers (again, developed by Google) and automatically track certificates that they see. Chrome tracks back which authorities send and support these certificates by collecting all of this data from Chrome users.

Now that you get how these certificates work, here’s the downside of what should be a secure system. Certificate Authorities that are sloppy are considered a high security risk, while hackers try to create certificates that actually can carry malicious code in them. Fortunately, these certificates (or certs) can be rapidly identified and, in theory, removed from the list of authorities that browsers trust by default.

Access control system closeupGoogle decided to take initiative and began their own systematic investigation of Certificate Authorities in China, not having any idea what they would discover. Turns out the first casualty of this analysis was one of the most trusted vendors of security on the Internet: Symantec.

Symantec issues more than 30 percent of all the certificates on the internet, but Google announced that effective immediately, Symantec-issued certificates will not be treated as having “extended validation” (the highest level of trust a browser can place in a certificate). Google based this judgment on the belief that the issuer conducted a detailed investigation to make sure it wasn’t dealing with an impostor before issuing the cert, but upon closer inspection Google’s Certificate Transparency program declared Symantec too untrustworthy to be included in browsers’ default list of trusted parties, on account of unreliable and sloppy code that poses dangers and risks to users everywhere. Google says it caught Symantec issuing more than 30,000 “improper” certificates over the last few years which is pretty terrifying when you consider the reputation of Symantec as a leader in cybersecurity. From now on, Chrome will gradually reduce its trust in Symantec certs over the coming years.

Because Symantec issues more than 30% of the web’s certs, this is going to be a problem for websites reliant on them as a certificate authority. And so we are truly transparent about this, if you go to Symantec to get a certificate, you have to pay for it. Right now, there are online vendors who are less than happy, I can assure you.

 

Symantec says that didn’t do anything wrong, so this is becoming something of a major dueling match between Google and Symantec.

As a side note if you want to get a free certificate there is a website operated by a number of groups including the Electronic Frontier Foundation and Mozilla. It is a non-profit called Let’s Encrypt Certificate Authority, and if you want a certificate you can go get one there for free.

The Big Idea here is to always question, always demand more from those who carry a reputation of being authorities. That way, you know you are truly working with those in the know.

 


 

shurtz.jpgA research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratford University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.