alphaspirit - Fotolia

Timeline: Symantec certificate authority improprieties

Timeline: Follow along as Google and Mozilla raise issues with Symantec certificate authority actions, and then attempt to return trust to the CA giant.

The tug of war between Symantec and web browser giants Google and Mozilla has many chapters and stretches back to 2015, when Google first discovered the CA giant was misissuing test certificates.

Now, many in the Mozilla and Chromium browser development communities are calling for Symantec to either take drastic action to improve or risk losing its privileges as a trusted certification authority -- even as Symantec has continued to push back against all charges.

Find out how the Symantec certificate authority operation is now facing the possibility of being dropped from the trusted certificate authority (CA) programs of the two major browsers unless it can convince the browser community that it can address all the issues.




Google uses Certificate Transparency logs to catch Symantec certificate authority staff improperly issuing Extended Validation Certificates for domains it does not own -- including Google domains.

The certificates are issued for testing purposes, and neither Symantec nor Google believe any users are at risk due to the issuances. Symantec announces that it has fired the employees deemed responsible in a blog post titled "A Tough Day as Leaders," though the post appears to have been removed from Symantec's site since.


After a month of deliberation, Google imposes sanctions on Symantec CA for the improper certificate issuance discovered through Certificate Transparency.

Google announces that Symantec certificate authorities must submit to an extended third-party audit schedule, as well as requiring that Symantec comply with Certificate Transparency for all the certificates it issues -- not just Extended Validation Certificates, starting Jun. 1, 2016.


Symantec is required to comply with Certificate Transparency for all certificates it issues.


Security researcher Andrew Ayer uses Certificate Transparency logs and reports finding 108 bad certificates issued by Symantec certificate authorities between July 2016 and January 2017.

Symantec responds by revoking all of the certificates that had not previously been revoked, and reduces certificate issuing privileges for its partners responsible for the improperly issued certificates.


As the number of bad certificates identified rises to 127, Symantec responds to Google's questions about the misissued certificates. Symantec states it is reviewing its registration authority (RA) program and taking other steps to review issues raised with its partners and auditors. The company later discontinued its RA program.


The Google Chromium browser development team reports that its investigation revealed as many as 30,000 certificates that were improperly issued or validated by Symantec certificate authorities over the past several years, and proposes actions in response to Symantec's failures.

Google's proposal would deprecate and remove trust in existing Symantec-issued certificates by reducing the validity period for new Symantec certificates to nine months, requiring all Symantec-issued certificates to be revalidated and replaced, and removing the Extended Validation status from Symantec-issued certificates for at least one year.


Symantec announces the termination of its beleaguered registration authority program, the source of a number of the issues raised by Google and Mozilla.


In an announcement objecting to Google's proposed plan for deprecating trust in its certificates, Roxane Divol, executive vice president and general manager of Symantec Website Security, writes the company is "proud to be one of the world's leading certificate authorities" and that "we operate our CA in accordance with industry standards." Divol also writes that "We do not believe Google's proposal is in the best interest of the Internet community."


Following Google's actions, Mozilla developer Gervase Markham posts a complete list of the Symantec certificate authority issues raised on the Chromium developers forum, and requests further clarification from Symantec.

The Mozilla team lists 14 issues related to Symantec certificate authorities, some dating as far back as 2009, including the issuance of SHA-1 certificates after the deadline for using the deprecated algorithm, the issuance of certificates for domains without permission from the domain owners and ongoing issues raised in audits that were not addressed by Symantec.


Even more questions are raised after Symantec posts its response to issues raised on the Mozilla developers forum.

Mozilla's Markham sets a deadline of Thursday, Apr. 20, 2017, for Symantec to respond to the further questions raised on the forum.


Just before the deadline imposed by Mozilla, Symantec issues its official response to the certificate authority issues listed in the Mozilla developers forum, and requests the opportunity to offer an alternative plan for reinstating trust in its certificates.

Noting that WoSign, the troubled Chinese certificate authority dropped from Mozilla's trusted certificate issuers list in 2016, was given an opportunity to propose an alternate plan for it to continue operations, Markham sets another deadline for Symantec to propose its own alternative plan.


Symantec offers a much less onerous proposal to restore trust in its certificate authorities. Claiming its counter-proposal "addresses the concerns raised by Google about our CA business without imposing undue business disruption on our customers and Chrome users that we believe would result if Google implements its proposal," Symantec proposes additional and more frequently conducted audits, and promises that it will address operational issues.


Ryan Sleevi, software engineer and tech lead for Chrome's networking security team at Google, reports Symantec was offered a second option that would have allowed it to remain a trusted certificate authority: effectively turning over Symantec certificate authority operations to one or more existing CAs, and starting over from scratch to rebuild its public key infrastructure (PKI).


Mozilla responds to Symantec's counter-proposal by suggesting that Google's second option -- outsourcing its certificate authority operations to one or more outside CAs -- is its preferred course of action at this time.

Markham notes that, while audits, which form the bulk of Symantec's counter-proposal, are important, they are not "a guarantor of appropriate conduct" on the part of a certificate authority.

"Symantec should seriously consider Google's proposal for simplifying and restoring trust in their public PKI," Markham writes.


Symantec reiterates its confidence in being able to remediate certificate authority issues through increased audits and process improvements, as well as promising to deliver third-party audits by Aug. 31, 2017, that confirm its "issuance processes are sound."

Writing in a blog post titled "Symantec CA Continues the Public Dialogue," Symantec rejects the calls from Mozilla and Google to outsource its operations to a third party.


In a post to the Mozilla developers forum, Rick Andrews, senior technical director for website security at Symantec, announces that Symantec has "established a new dialogue" between senior executives at Google and Symantec to "arrive at a new proposal" that will have less effect on Symantec's customers.

A Google spokesperson confirms that Chrome is involved in that dialogue, but the search giant makes no further comment.


Mozilla withdraws its alternative proposal for remediating trust in Symantec certificate authorities; Markham writes that, given the low degree of engagement on Symantec's part, and the need to move forward to restore compliance, the only option for Symantec to remain a trusted CA for Mozilla is to turn over its CA operations to a trusted third-party.

Symantec does not respond to requests for comment on this development.


In a posting on the Chrome developers forum, Tarquin Wilton-Jones, a member of the security team for Opera Software, states that the Opera browser will likely follow whatever action Chromium takes regarding trust in Symantec certificates, but he adds that the Opera team "would still encourage Google's second proposal [outsourcing CA processes to another CA] to be used as the preferred solution."

Next Steps

Learn how to manage certificate authority risks

Read about how Certificate Transparency can solve CA trust issues

Find out how to stop forged certificates from trusted vendors

This was last published in May 2017

Dig Deeper on Application and platform security