Google has announced that soon will withdraw from Chrome, Android and other products Symantec root certificate company.Google representatives say that the move is caused by the desire to protect users, since it is unclear what Symantec uses this certificate.
December 1, 2015, Symantec terminate the root certificate VeriSign G1 (Class 3 Public Primary CA), which was previously used to sign the code of the public and work with TLS / SSL certificates. Although the company has notified Google about that in the future, this plan is still the root certificate to use, the Symantec refused to explain exactly how it will be used and for what purposes. As a result, the security service Google has decided not to support the certificate at all and removed from the trusted list. Engineer Company Sliven Ryan (Ryan Sleevi) explains in a blog post that VeriSign G1 no longer complies with CA / Browser Forum Baseline Requirements.
“These requirements are a reflection of the advanced industry practices and are the basis of the work of public trusted certificates. Non-compliance with these requirements, it is an unacceptable risk of endangering all users of Google products – writes plum. – Since Symantec has failed to explain the purpose of the new certificate, but she knew about the risk, which will be subject to Google users, we were asked to preventively remove the root certificate and interrupt the action. This step is necessary because the certificate is widely used Android platforms, Windows, and OS X ».
The Symantec, osvoyu in turn, noted that the work stoppage certificate fully complies with CA / Browser Forum Baseline Requirements. Company officials insist they are doing is not the first time, but never before on the next idle root certificate notification browser vendors did not lead to such consequences.
The company warns users that their browsers may soon stop supporting the certificate, which can lead to errors. However, merging writes that representatives of the Google Symantec reported that the removal of the certificate does not affect the user.
The first time claims to Symantec emerged from Google in October 2015, after the incident with the publication of false SSL-certificates with Extended Validation for google.com and www.google.com domain. Then Symantec representatives apologized, assured that the error occurred, and the certificates have been created exclusively for peaceful research purposes. Further investigation revealed that the company has published 23 test certificate, of which 6 are affected Google domains, and even Opera 7 domains. Subsequently it was able to identify 164 more certificates covering 76 domains.Moreover, it appears that Symantec has used more than 2,400 certificates for unregistered domains, although this practice was abolished in April 2014.
Although then Symantec representatives claimed that the test certificates could not represent any risk for users, Google felt differently and Symantec recommended to work on safety in this area.
Now, in a situation with a root certificate VeriSign G1, Symantec representatives believe that Google fanning out of molehills, but stress that this incident has nothing to do with the October events.
Photo: TONY AVELAR / BLOOMBERG