Google Chrome accused Symantec of granting more than 30,000 digital certificate certificates that did not meet the quality standards

Google recently announced it would not accept all EV certificates issued by Symantec after discovering more than 30,000 invalid EV certificates issued by Symantec in the last few years.

Extended validation EV certificate is a special form of verification by digital certificate authentication (CA) providers. Getting this certificate will increase website reliability for users. Before issuing a certificate, the certificate issuer must fully verify the legal existence of the legal status of any organization or individual in the host country. Each CA has its own standards and verification procedures, but all must ensure it is rigorous and accurate.

Symantec's EV number certificates will no longer be recognized by Chrome browser for at least a year until Symantec fixes its certificate-issuing processes to comply with quality standards.

Google Chrome accused Symantec of granting more than 30,000 digital certificate certificates that did not meet the quality standards Picture 1

The move came into effect immediately after Ryan Sleevi, a software engineer of the Google Chrome group, made the announcement on Thursday in Google's online forum.

Sleevi said: "The fact that Symantec has issued certificates that do not meet the quality standards also entails certain troubles, causing us to completely lose our faith in the policies and practicality of the certificates. granted by Symantec in the last few years ".

Google Chrome accused Symantec of granting more than 30,000 digital certificate certificates that did not meet the quality standards Picture 2

One of the important parts of the SSL system is trust, but if the certificate authentication service providers cannot verify existence and legally identify before granting EV certificates to domain names then it is The trust of those certificates will be greatly reduced.

The Google Chrome team began investigating on January 19 and found that Symantec's standards and verification procedures in recent years have been dishonest, which could be threatening The integrity of the TLS system is used to authenticate and secure data and connect via the Internet.

According to this move, the Google Chrome team has proposed the following decisions as a punishment directed at Symantec:

1. EV certificates issued by Symantec as of today will be downgraded to less secure domain authentication certificates, meaning that the Chrome browser will immediately stop displaying the authenticated domain name. in the address bar for at least a year.

2. To limit the risk of other unreliable certificates, all newly issued certificates must have a validity period of no more than 9 months (effective from Chrome 61 release) if desired. be trusted in Google Chrome.

3. Gradually reduce the validity of Symantec's certificates for recent Chrome versions, specifically:

1. Chrome 59 (Dev, Beta, Stable): valid for 33 months (1023 days)
2. Chrome 60 (Dev, Beta, Stable): valid for 27 months (837 days)
3. Chrome 61 (Dev, Beta, Stable): valid for 21 months (651 days)
4. Chrome 62 (Dev, Beta, Stable): valid for 15 months (465 days)
5. Chrome 63 (Dev, Beta): valid for 9 months (279 days)
6. Chrome 63 (Stable): valid for 15 months (465 days)
7. Chrome 64 (Dev, Beta, Stable): valid for 9 months (279 days)

This means starting with Chrome 64, scheduled for release in early 2018, Chrome browser will only trust Symantec's certificates issued within nine months (279 days) or less.

Google believes that this move will ensure that web developers are aware of dishonesty and under quality standards for certificates issued by Symantec, to avoid future unfortunate situations. .

The war between Symantec became even more intense when the company claimed that Google's allegations were exaggerated and caused misunderstandings.

Google Chrome accused Symantec of granting more than 30,000 digital certificate certificates that did not meet the quality standards Picture 3

Symantec responded to Google's move saying: "We vehemently oppose the action Google has taken to Symantec's SSL / TLS certificate in Chrome browser. This action by Google is really too surprising for them. I, and we believe that blog posts are a irresponsibility of Google ".

"Google has assumed that only the certificates issued by Symantec are not qualified, while Google's discovery involves many other CAs."