Skip to main content
  1. Home
  2. Computing
  3. News

Update: Symantec asks Google to remove trust for one of its own certificates

Jonathan Keane
By

symantec asks google remove trust one certificates headquarters
Image used with permission by copyright holder
Updated 12/16/2015 10:00am by Matt Smith

Symantec has released a new statement about the certificate that was removed from trust. 

Recommended Videos

In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1). We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications. By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.

Related

Obviously, this statement seeks to defuse any perception that this is due to a fault on Symantec’s part, which seems accurate given the context. 

Original Text: Google has decided to “distrust” a Symantec root certificate that the security company says is no longer compliant with security standards. The cert could have potentially been used to intercept users’ web traffic.

The move is the latest in a series of issues between Google and Symantec over trust for the latter’s digital certificates. In October, Google told the company that it must be more transparent over the issuing of TSL certificates for domain names.

Over the weekend, Google software engineer Ryan Sleevi wrote that Google has decided to distrust Symantec’s “Class 3 Public Primary CA” root certificate, used in Google products like Chrome and Android.

“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” he said, explaining that the cert’s trust was cut off on December 1st. The Baseline Requirements are a set of criteria for best practices in the issuing of digital certificates for SSL/TLS servers.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products,” said Sleevi.

Use of the vulnerable certificate could allow a malicious actor to spoof a Google service and target users or intercept web traffic. Symantec requested that Google remove and distrust the root certificate once it became aware of the security risk it would pose to users on Chrome and Android. Website owners and general users will not be affected, it added, as this is the usual procedure for dealing with legacy certs.

Google will still continue with its plan to remove trust for Symantec certificates if they do not introduce more transparency in how they issue certs by June 1st 2016. The ultimatum came after the company issued several certificates for domain names to people or organizations that did not own them. Symantec responded by firing an unspecified number of employees responsible for the error.

Editors' Recommendations

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
How to draw on Google Docs to add doodles, sketches, and more
The Google Play Store, YouTube, and Google Docs installed on an Amazon Fire Max 11.

Word processing software isn’t the kind of tool that most users would consider exciting, which is why we’re glad to see companies like Google adding a little flair to its own products. We’re talking about Google Docs, a free-to-use word processor that’s part of your larger Google Account ecosystem. Basic formatting options and other familiar word processing functions are front and center on Google Docs, but the ability to add doodles, sketches, and other entertaining media to your next Docs file requires a special bit of know-how.

Read more
AMD’s upcoming APUs might destroy your GPU
AMD CEO Lisa Su holding an APU chip.

The spec sheets for AMD's upcoming APU lineups, dubbed Strix Point and Strix Halo, have just been leaked, and it's safe to say that they're looking pretty impressive. Equipped with Zen 5 cores, the new APUs will find their way to laptops that are meant to be on the thinner side, but their performance might rival that of some of the best budget graphics cards -- and that's without having a discrete GPU.

While AMD hasn't unveiled Strix Point (STX) and Strix Halo (STX Halo) specs just yet, they were leaked by HKEPC and then shared by VideoCardz. The sheet goes over the maximum specs for each APU lineup, the first of which, Strix Point, is rumored to launch this year. Strix Halo, said to be significantly more powerful, is currently slated for a 2025 release.

Read more
Hyte made me fall in love with my gaming PC all over again
A PC built with the Hyte Nexus Link ecosystem.

I've never seen anything quite like Hyte's new Nexus Link ecosystem. Corsair has its iCue Link system, and Lian Li has its magnetic Uni system, and all three companies are now offering ways to tie together your PC cooling and lighting devoid of extraneous cables. But Hyte's marriage of hardware, software, and accessories is in a league of its own -- and it transformed my PC build completely.

I've been using some of the foundational components of the ecosystem for about a week, retailoring a build inside of Hyte's own Y40 PC case to see how the system works. It doesn't seem too exciting at first -- Hyte released an all-in-one (AIO) liquid cooler, some fans, and a few RGB strips, who cares? But as I engaged more with the Nexus Link ecosystem, I only became more impressed.
It all starts with the cooler

Read more