For the past 12 months, Google, and its web browser Chrome, have been encouraging companies to switch to using HTTPS. HTTPS is designed to protect users, and make their internet browsing experience safer and more secure. However, Google is now involved in a dispute with one of the largest providers of internet security certificates, known as SSLs.
Symantec is a security company, which provides SSLs to websites to ensure that they are running a safe and secure site. Symantec has issued millions of SSLs to websites over the last few years, and have previously been considered a yard stick for safe internet browsing. Now though, Google have put forward a proposal which would invalidate Symantec issued SSL certificates on its proprietary browser, Google Chrome.
According to the makers of Google Chrome, Symantec has failed to properly validate thousands of its certificates. Google goes so far as to claim that where they had initially thought there might be as few as 127 invalid certificates, it now believes that there might have been as many as 30,000 improperly validated certificates given out in the last few years.
Google Chrome’s proposal suggests that Symantec’s trust level will be gradually lessened on Chrome over the next 9 months or less, and that Symantec issued SSL Certificates will be incrementally unrecognised by the browser.
So what might this mean for Symantec? Symantec is at the moment the largest provider of SSL certificates on the internet, with millions of SSL certificates supplied. Some estimate that up to a third of all SSL certificates on the web come from Symantec. If Google go ahead with their plan to remove trust from all of these Symantec certificates then the company will be left with huge amounts of work to do.
In this situation Symantec might potentially have to reissue all of its certificates, forcing millions of customers to go through the validation and installation processes again. Customers who have currently paid extra for an Extended Validation certificate will also be left upset, as the time and money they have spent on what is usually considered a gold star for internet security will be valued as worthless.
It might not be a surprise to see that Symantec has firmly denied Google’s allegations. Symantec disputed Google’s claims in a statement, calling them ‘exaggerated and misleading’, and accusing the proposal of being ‘irresponsible’. Customers of Symantec and users of Chrome would do well to keep abreast of the situation as it develops.