Story image

INTERVIEW: What Google’s decision to distrust Symantec certificates means

21 Feb 2018

Last year Chrome announced a formal plan to remove trust from Symantec-issued certificates.

This came after researchers affiliated with Google determined that Symantec and their affiliated Certificate Authorities (CAs) had ‘mis-issued’ thousands of transport layer security (TLS) certificates.

Venafi product manager for cloud products Walter Goulet says this is only the beginning of a growing tension between browsers and CAs.

“Concern about certificate issuance practices from browser companies is not a new phenomenon,” says Goulet.

“However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry.”

In terms of the immediate implications of Google Chrome’s decision, Goulet says websites that are currently operating with Symantec certificates need to take action now.

“Google and DigiCert/Symantec have been providing guidance on transition plans to help customers avoid being impacted due to the Symantec distrust event. However, website operators that don’t take action will find unexpected browser warnings preventing their customers from accessing their services,” Goulet says.

“Website operators need to immediately consider how they will replace their certificates and follow the guidance that has been provided by DigiCert after they acquired the Symantec business. Website operators should take this opportunity to investigate their processes and toolsets used to manage certificates and invest in automation and shorter lifetime certificates to reduce impact from possible future CA distrust events.”

Goulet says Google Chrome’s ban of Symantec certificates highlights just how much power browser makers have over certificate authorities – in this case, Google has flexed its power to demand that hundreds of thousands of Symantec certificates around the world be replaced before October.

“In the face of this sort of threat, CAs need to evolve their business models to future-proof their industry and Google’s action definitely sends a message to CAs that they need to support rapid response to incidents reported to them, much greater automation and better support for short lived certificates,” Goulet says.

“With trends like DevOps and IoT meaning that enterprises need more certificates in faster timeframes than ever, this future-proofing needs to take the form of automation. By providing better automated services, CAs can remain competitive and meet the demands of rapidly moving DevOps teams.”

According to Goulet, there are three major market changes that will affect the interdependency between browsers and CAs, including:

  • Browser makers will take a more active role in policing CAs. Information security researcher Ian Carroll recently conducted an experiment that revealed just how easy it was for phishers to legally obtain Extended Validation certificates for malicious websites. Using this example many browsers are pointing out that CA issuance practices require additional oversight.
  • Web browsers will de-emphasise or remove certificate security warnings. Research has shown that certificate warnings rarely impact user behaviour, making the practice redundant.
  • CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change.

Goulet says there is going to be a lot of change over the next five years.

“CA’s are currently experiencing a number of pressures which are forcing them to change their business model. The increasing ability of browser companies to dictate terms, combined with the rise of free certificates and the increasing demand for faster certificates thanks to DevOps and IoT, means CAs need to change their practices quickly in order to remain competitive,” Goulet says.

“This will likely happen in a number of different ways, including increased automation and the development of new product offerings like cloud security and managed private PKIs. Beyond that, we could also start to see the rise of niche CAs, based on things like language – particularly in Europe as GDPR comes in to force and firms look to avoid falling foul of regulation.”

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.