Risk & Repeat: Google slams Symantec certificates

Another controversy has erupted over Symantec certificates, and this time, it has pitted the antivirus software maker against Google.

Last week, Google's Chromium team announced that an investigation into the Symantec certificate authority revealed at least 30,000 certificates that had been mis-issued over several years. In addition, the Chromium team criticized Symantec's certificate authority practices, and claimed that a "series of failures" caused Google to "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years."

For Symantec, Google's move was not only the latest in a string of certificate authority issues for the security software giant, but it was also potentially the harshest response yet for mis-issuances.

The Chromium team suggested several measures for Symantec, including an incremental distrust of all currently trusted Symantec certificates, and requiring that all such certificates be revalidated or replaced.

Symantec, last week, denied Google's allegations, and called the company's actions irresponsible, and even accused Google of singling out Symantec. However, days later, Roxane Divol, executive vice president and general manager of Symantec Website Security, wrote a blog post declaring that Symantec would reissue its certificates as needed at no expense to customers. Divol also wrote that Symantec would support shorter validity certificates, if the measure was imposed by Google.

Why have there been repeated issues with Symantec certificates? Was Symantec's response to Google's proposed actions appropriate? What does this mean for Symantec's certificate authority business? In this week's episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the latest controversy over Symantec certificates.