Google Chrome with Symantec are jointly investigating mis-issuance of 30 000 certificates

Google Chrome with Symantec are jointly investigating mis issuance of 30 000 certificates

Google Chrome developers after recent investigation concerning Symantec issued SSL certificates have come to a conclusion that Symantec mis-issued over 30000 certificates in a past few years.

As a result, Google experts decided to take quite tough measures:

Revoke acceptance of extended validation status of all EV-certificates issued by Symantec and other Symantec associated certificate authorities. According to this statement, all EV SSL-certificates issued by Symantec will be recognized by the Google Chrome browser as DV, i.e. simple SSL-certificates which are issued after basic domain verification procedure.
Google has also announced sequential distrust of all existing Symantec-issued certificates as well as all certificates issued by Symantec associated certificate authorities. This will be implemented by decreasing validity period of Symantec issued certificates in upcoming releases of Google browser. In Chrome 59 release, Symantec issued certificates will be valid no more than 33 months, moreover in Chrome 64 release Google announced to limit the validity period of Symantec SSL certificates for just 9 months.

According to study conducted by Google experts, Symantec has issued over 30000 certificates opposing common certificate issuance policies and practices within past few years.

Symantec representatives are refusing any accusations in regards to mis-issuance of 30000 certificates. Symantec admitted that on one occasion there was a mis-issuance of 127 certificates however this caused no harm to consumers as Symantec stated they’ve taken an extensive remediation actions in this case.

Currently, there are ongoing intensive negotiations between Symantec and Google in regards to this matter. We will keep you updated with upcoming news.