Story image

INTERVIEW: What Google’s decision to distrust Symantec certificates means

21 Feb 2018

Last year Chrome announced a formal plan to remove trust from Symantec-issued certificates.

This came after researchers affiliated with Google determined that Symantec and their affiliated Certificate Authorities (CAs) had ‘mis-issued’ thousands of transport layer security (TLS) certificates.

Venafi product manager for cloud products Walter Goulet says this is only the beginning of a growing tension between browsers and CAs.

“Concern about certificate issuance practices from browser companies is not a new phenomenon,” says Goulet.

“However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry.”

In terms of the immediate implications of Google Chrome’s decision, Goulet says websites that are currently operating with Symantec certificates need to take action now.

“Google and DigiCert/Symantec have been providing guidance on transition plans to help customers avoid being impacted due to the Symantec distrust event. However, website operators that don’t take action will find unexpected browser warnings preventing their customers from accessing their services,” Goulet says.

“Website operators need to immediately consider how they will replace their certificates and follow the guidance that has been provided by DigiCert after they acquired the Symantec business. Website operators should take this opportunity to investigate their processes and toolsets used to manage certificates and invest in automation and shorter lifetime certificates to reduce impact from possible future CA distrust events.”

Goulet says Google Chrome’s ban of Symantec certificates highlights just how much power browser makers have over certificate authorities – in this case, Google has flexed its power to demand that hundreds of thousands of Symantec certificates around the world be replaced before October.

“In the face of this sort of threat, CAs need to evolve their business models to future-proof their industry and Google’s action definitely sends a message to CAs that they need to support rapid response to incidents reported to them, much greater automation and better support for short lived certificates,” Goulet says.

“With trends like DevOps and IoT meaning that enterprises need more certificates in faster timeframes than ever, this future-proofing needs to take the form of automation. By providing better automated services, CAs can remain competitive and meet the demands of rapidly moving DevOps teams.”

According to Goulet, there are three major market changes that will affect the interdependency between browsers and CAs, including:

  • Browser makers will take a more active role in policing CAs. Information security researcher Ian Carroll recently conducted an experiment that revealed just how easy it was for phishers to legally obtain Extended Validation certificates for malicious websites. Using this example many browsers are pointing out that CA issuance practices require additional oversight.
  • Web browsers will de-emphasise or remove certificate security warnings. Research has shown that certificate warnings rarely impact user behaviour, making the practice redundant.
  • CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change.

Goulet says there is going to be a lot of change over the next five years.

“CA’s are currently experiencing a number of pressures which are forcing them to change their business model. The increasing ability of browser companies to dictate terms, combined with the rise of free certificates and the increasing demand for faster certificates thanks to DevOps and IoT, means CAs need to change their practices quickly in order to remain competitive,” Goulet says.

“This will likely happen in a number of different ways, including increased automation and the development of new product offerings like cloud security and managed private PKIs. Beyond that, we could also start to see the rise of niche CAs, based on things like language – particularly in Europe as GDPR comes in to force and firms look to avoid falling foul of regulation.”

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.