alphaspirit - Fotolia

Symantec certificate authority issues, answered

Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust.

Symantec responded to certificate issues raised by Mozilla just before the browser company's deadline last week, but the responses haven't eliminated concerns at Mozilla about Symantec certificate authority operations.

Mozilla developer Gervase Markham earlier this month outlined 14 Symantec certificate authority (CA) issues and requested answers from the antivirus software giant. Symantec responded to the issues on Mozilla's developer forum, but Markham said there were still "open questions" about the issues and gave a deadline of last Thursday for the company to provide more information before Mozilla began considering potential actions.

Symantec responded just before the deadline with a document that offered additional details on many of the certificate issues outlined by Markham. Symantec also requested the opportunity to submit its own remediation proposal for consideration instead of the more severe consequences Google proposed last month after the search giant announced it had discovered a "series of failures" with Symantec's certificate authority operations over several years.

"We permitted WoSign to propose a remediation plan," Markham wrote, referring to the Chinese certificate authority dropped from Mozilla's trusted certificate issuer list last year. "I think it is reasonable to do the same for Symantec. So we will wait to hear what they have to say, and then discuss appropriate action in the light of it."

Google's proposal will reduce the validity period of new Symantec-issued certificates to nine months or less, as well as incrementally distrust existing Symantec-issued certificates in order to revalidate and replace them, and it will remove Extended Validation status from Symantec-issued certifications until the browser community is assured that Symantec CA practices and policies are sufficient, but for at least one year, as indicated by Ryan Sleevi, software engineer and tech lead for Chrome's networking security team at Google, in Google's proposed framework.

Issues with Symantec certificate authority activities, enumerated on a Mozilla developer forum, were addressed in Symantec's response. Markham reclassified two of the issues as "struck," one as "informational" and four as "minor" -- but six were classified as "major" and two as "intermediate."

While Symantec responded to these issues, Markham expressed concerns with several of the responses and Symantec certification authority practices in general. For example, "Issue W" on Mozilla's forum highlighted issues with audits for Symantec's registration authority (RA) program.

Editor's note: Symantec discontinued its RA program last month after Google's announcement.

"Symantec have asserted that their oversight of these RA partners was primarily based on reviewing audits," Markham wrote about Symantec's response. "However, the audits had a number of irregularities of various kinds, including being of the wrong type and so not covering the BRs [baseline requirements] at all, or not covering all issuance, which were not noted until recently. This claim of oversight therefore rings fairly hollow."

Google's proposed deprecation of trust in Symantec certificates is in response to problems first uncovered in 2015, when test certificates for Google domains were improperly issued by the Symantec certificate authority. Since then, further issues related to the Symantec CA improperly issuing test certificates have been revealed dating back to 2009; other issues raised relate to Symantec certificate authority audits, issuance of SHA-1 certificates after that cryptographic protocol was deprecated and other issues related to satisfying the CA/Browser Forum Baseline Requirements for certificate authorities.

Improperly issued test certificates were first detected in 2015 through Certificate Transparency (CT), after which all Symantec certificates were required to be posted to CT logs. Subsequently, a new set of improperly issued certificates were detected early in 2017, after which Google announced its intent to deprecate and remove trust in existing Symantec certificates because of the ongoing issues with improper issuance of certificates and failures to properly validate certificates.

Symantec certificate authority customers were notified that progress was being made with Google on the proposed plan to deprecate trust in certificates issued by Symantec certificate authorities. Roxane Divol, Symantec's senior vice president and general manager for website security, wrote in a blog post to customers that Symantec's "goal is to find a combined path forward that will ensure business continuity for our customers and peace of mind for all browsers and other industry stakeholders."

Noting that the Google proposal would be disruptive to Symantec certificate authority customers, Divol wrote "the transition to fully adopt Google's proposal within its suggested timeframe would cause significant business disruption and additional expense -- especially within complex IT infrastructures. Mitigating these concerns is a top priority for us as we develop our counter proposal and provide responses to the salient questions the community has posted online."

Divol also assured Symantec certificate authority customers that if the Google proposal goes into effect, Symantec would reissue certificates at no additional charge. While Divol pointed to the "burden" created by Google's proposal, no mention was made in the post of questionable Symantec certificate authority practices.

"While we believe Google understands the burden their proposal creates, if they decide to move ahead with their original plan, I want to reassure you that Symantec will keep your websites, web servers or web applications operational across all browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period."

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing