Google is warning users that Secure Sockets Layer (SSL) certificates purchased from Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL are not secure – raising questions for businesses using them.
SSL certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a Web server, it activates the padlock and the https protocol and allows secure connections from a Web server to a browser.
Browser developers, including Google, have raised questions about the way Symantec issued SSL certificates, and have threatened to stop recognising them, a move that could hurt Symantec’s customers and worry visitors to the Web sites using the affected certificates.
In March, Google accused Symantec of misusing at least 30 000 such certificates, potentially allowing attackers to masquerade as legitimate Web sites.
The Internet giant expects root certificate authorities like Symantec to validate domain ownership before issuing certificates and to secure their operations and infrastructure against signs of improper issuances as well as auditing logs to review issuance activity.
Google stated Symantec had not met these standards and had allowed outside access to their certificate infrastructure without proper oversight.
Symantec SSL certificates – estimated to make up one in every six SSL certificates currently deployed online – include certificates issued by VeriSign, GeoTrust, Thawte, Equifax and RapidSSL because Symantec bought their certificate authorities and they were subsequently added to the Symantec root.
The search-engine giant indicated last month that it has added a new feature under the “Developer Tools” menu item in the latest version of its Web browser, Google Chrome, alerting users that Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL SSL certificates issued before 1 June 2016 will be considered distrusted from next March.
The core of the issue surrounding Symantec certificates – the business operates under brand names such as VeriSign, Thawte, Equifac, RapidSSL or GeoTrust – is that Symantec “entrusted several organisations with the ability to issue certificates without the appropriate or necessary oversight,” says Google.
The latest version of Google Chrome – the world’s most popular browser – called version 62 is scheduled to go live between 22 and 28 October. According to Net Market Share, Chrome dominates the browser market with a 59.61% market share.
The next big upgrade, called Chrome 66, is expected mid-April 2018 and visitors to Web sites using Symantec certificates issued before 1 June 2016 will receive warnings that the sites are “untrusted”.
Google has also indicated that Chrome 70 – estimated for roll-out in October 2018 – will distrust any certificate issued by Symantec’s old infrastructure, including those sold after 1 June 2016.
Following the impasse, Symantec has since entered an agreement with identity and encryption solutions provider DigiCert, which will acquire Symantec’s Web site security and related public key infrastructure solutions.
Under the terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30% stake in the common stock equity of the DigiCert business at the closing of the transaction.
However, Lauren Collier, SSL sales manager at cyber security firm LAWtrust, says while DigiCert – which is buying Symantec’s certificate authority business – is promising to issue replacement certificates from December this year, businesses should think carefully about how to proceed.
“One of the important parts of the SSL ecosystem is trust. If a certificate authority neglects to properly verify the legal existence and identity of an entity before issuing SSL certificates for domains, as Symantec has been accused of doing, this breaks the chain of trust,” she says.
For Jon Tullett, IDC’s research manager for IT services for Africa, SSL certificates are absolutely fundamental to modern Internet security. “They’re far from perfect – as this incident shows – but they are used to secure a tremendous amount of online activity.”
He explains that when a browser like Chrome removes a certificate, users will get a warning before they visit a site which uses that certificate to validate its identity.
“Google’s Chrome team has indicated serious concerns with a large number of the certificates in question, prompting this action, so it’s likely quite a number of sites and services may be affected – many thousands, potentially,” says Tullett.
Meanwhile, Manuel Corregedor, COO of information security company Telspace Systems, says digital certificates allow for the communication between the user’s machine and the Web site (server) to be encrypted.
“This makes it difficult for an attacker to intercept communications between the user’s computer and/or to masquerade as the authentic Web site.”
He notes organisations will have to replace their certificates or face potential reputational or financial harm.
“However, this is easier said than done especially for organisations that make use of certificates on devices or terminals that are hard to get to. In such cases, organisations will find it very difficult to update the certificates before the imposed deadline by Google,” says Corregedor.
By Admire Moyo for ITWeb