Symantec web security certificates may soon be branded as insecure by Google. It’s hard to believe as Symantec is one of the largest security companies out there. But that is because Symantec has been using several domains as its testbed for pre-production security certificates. Google is one of those domains, and they’re not fond of the idea of being Symantec’s guinea pig.
Security certificates tell browsers and apps that certain websites that make use of SSL are safe to visit. Otherwise, an alert is issued by the browser that the website may be unsafe or are blocked even without internet security software.
Symantec has disclosed that it has issued less than 200 test certificates to 76 registered domains without their permission. Google found out later that the company issued over 2,000 more to unregistered domains. That in itself is a terrible offense in part of Symantec. It might as well be a breach in security in part of the affected domains. With such a practice, unscrupulous persons within Symantec can issue certificates for high-paying malware websites or even to Anonymous and open the gates of hell. One could imagine the damage to Symantec’s reputation within IT security circles. Symantec has since fired some of its staff in light of this issue and is working to downplay or reduce the damage. Google’s Online Security Blog post has blown this case wide open, though and is threatening that problems will arise on websites that use Symantec Security Certificates when using Google products such as the Chrome browser and Chromebooks.
This is bad news for Symantec which has just bounced back from being branded as bloated not just its products but as a company opening the way for other IT security vendors like Avast, Kaspersky, and AVG to get large chunks of the lucrative market. This issue of undermining the security of its clients will be a big blow to the company if it gets out to ordinary users. Norton Internet Security’s share is already as low as it is with Microsoft including free anti-virus products with Windows 8 and Windows 10. Even if the problem was unintentional, it doesn’t speak well for Symantec’s quality control. The company has promised Google and anyone else who complained that they will take steps to fix the problem. Google won’t have it though and laid down several rules detailed in the blog post.
Google requires Symantec that the company man up and issue a report on how and why the issue happened. They also request that Symantec provides steps and procedures that will prevent similar incidents from happening in the future and a timeline to boot. Google also wants the security company to undergo a 3rd party security audit and a Point-in-time Readiness Assessment. These are tough pills to swallow for a well-known IT security company but pills that the company must swallow to get out of the matrix of distrust.
Google isn’t rushing the company with these tough demands but warned that by June 1, 2016, security certificates from Symantec will only cause problems on Google products and for companies that use both Google products Symantec certificates if these demands aren’t met. Chrome will brand websites with Symantec Security certificates as unsafe if Symantec does not practice Certificate Transparency. Red letter warnings. Bad. But just recently, a Symantec spokesperson issued a statement to ZDNet stating:
“In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold… We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”
Exactly as Google asked and what most users would want to hear. That’s the new Google or Alphabet. They will do no more evil nor will they tolerate it.