INTERVIEW: What Google’s decision to distrust Symantec certificates means
Last year Chrome announced a formal plan to remove trust from Symantec-issued certificates.
This came after researchers affiliated with Google determined that Symantec and their affiliated Certificate Authorities (CAs) had ‘mis-issued’ thousands of transport layer security (TLS) certificates.
Venafi product manager for cloud products Walter Goulet says this is only the beginning of a growing tension between browsers and CAs.
“Concern about certificate issuance practices from browser companies is not a new phenomenon,” says Goulet.
“However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry.”
In terms of the immediate implications of Google Chrome’s decision, Goulet says websites that are currently operating with Symantec certificates need to take action now.
“Google and DigiCert/Symantec have been providing guidance on transition plans to help customers avoid being impacted due to the Symantec distrust event. However, website operators that don’t take action will find unexpected browser warnings preventing their customers from accessing their services,” Goulet says.
“Website operators need to immediately consider how they will replace their certificates and follow the guidance that has been provided by DigiCert after they acquired the Symantec business. Website operators should take this opportunity to investigate their processes and toolsets used to manage certificates and invest in automation and shorter lifetime certificates to reduce impact from possible future CA distrust events.”
Goulet says Google Chrome’s ban of Symantec certificates highlights just how much power browser makers have over certificate authorities – in this case, Google has flexed its power to demand that hundreds of thousands of Symantec certificates around the world be replaced before October.
“In the face of this sort of threat, CAs need to evolve their business models to future-proof their industry and Google’s action definitely sends a message to CAs that they need to support rapid response to incidents reported to them, much greater automation and better support for short lived certificates,” Goulet says.
“With trends like DevOps and IoT meaning that enterprises need more certificates in faster timeframes than ever, this future-proofing needs to take the form of automation. By providing better automated services, CAs can remain competitive and meet the demands of rapidly moving DevOps teams.”
According to Goulet, there are three major market changes that will affect the interdependency between browsers and CAs, including:
- Browser makers will take a more active role in policing CAs. Information security researcher Ian Carroll recently conducted an experiment that revealed just how easy it was for phishers to legally obtain Extended Validation certificates for malicious websites. Using this example many browsers are pointing out that CA issuance practices require additional oversight.
- Web browsers will de-emphasise or remove certificate security warnings. Research has shown that certificate warnings rarely impact user behaviour, making the practice redundant.
- CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change.
Goulet says there is going to be a lot of change over the next five years.
“CA’s are currently experiencing a number of pressures which are forcing them to change their business model. The increasing ability of browser companies to dictate terms, combined with the rise of free certificates and the increasing demand for faster certificates thanks to DevOps and IoT, means CAs need to change their practices quickly in order to remain competitive,” Goulet says.
“This will likely happen in a number of different ways, including increased automation and the development of new product offerings like cloud security and managed private PKIs. Beyond that, we could also start to see the rise of niche CAs, based on things like language – particularly in Europe as GDPR comes in to force and firms look to avoid falling foul of regulation.”