Skip to main content
  1. Home
  2. Computing
  3. News

Update: Symantec asks Google to remove trust for one of its own certificates

Add as a preferred source on Google

Updated 12/16/2015 10:00am by Matt Smith

Symantec has released a new statement about the certificate that was removed from trust. 

Recommended Videos

In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1). We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications. By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014.

Obviously, this statement seeks to defuse any perception that this is due to a fault on Symantec’s part, which seems accurate given the context. 

Original Text: Google has decided to “distrust” a Symantec root certificate that the security company says is no longer compliant with security standards. The cert could have potentially been used to intercept users’ web traffic.

The move is the latest in a series of issues between Google and Symantec over trust for the latter’s digital certificates. In October, Google told the company that it must be more transparent over the issuing of TSL certificates for domain names.

Over the weekend, Google software engineer Ryan Sleevi wrote that Google has decided to distrust Symantec’s “Class 3 Public Primary CA” root certificate, used in Google products like Chrome and Android.

“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” he said, explaining that the cert’s trust was cut off on December 1st. The Baseline Requirements are a set of criteria for best practices in the issuing of digital certificates for SSL/TLS servers.

“As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products,” said Sleevi.

Use of the vulnerable certificate could allow a malicious actor to spoof a Google service and target users or intercept web traffic. Symantec requested that Google remove and distrust the root certificate once it became aware of the security risk it would pose to users on Chrome and Android. Website owners and general users will not be affected, it added, as this is the usual procedure for dealing with legacy certs.

Google will still continue with its plan to remove trust for Symantec certificates if they do not introduce more transparency in how they issue certs by June 1st 2016. The ultimatum came after the company issued several certificates for domain names to people or organizations that did not own them. Symantec responded by firing an unspecified number of employees responsible for the error.

Jonathan Keane
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
How to install macOS 27 Golden Gate public beta on your Mac?
From a smarter Siri to a more reliable Spotlight, here's your full walkthrough for installing macOS 27 Golden Gate's public beta today.
macOS 27 Golden Gate

Along with iOS 27’s public beta, Apple has also released macOS 27 Golden Gate’s public beta build, so that early adopters can get their hands on the new features, including Siri AI, and provide timely feedback to help ensure a stable iOS launch in September. 

If you’re sold on all the new features but don’t want to put your faithful MacBook through developer beta duty, a public beta offers a much more refined experience. To install macOS 27’s public beta, follow the steps given below. 

Read more
Microsoft is finally fixing the worst thing about Windows Search, but you can’t try it just yet
Windows Insiders in the Experimental channel are getting a Search experience that finally feels less of a billboard and more of what users actually need.
Page, Text, Person

Windows Search has been a mess for years, and I do not use that word lightly. Open it to find a file, and you get trending Bing topics, Microsoft Store promotions, and an AI tools tile that just opens a browser. 

That is changing, but not immediately for all users. Microsoft is rolling out a batch of Windows Search improvements to Insiders in the Experimental channel, and for once, this isn't just a fresh coat of paint.

Read more
Apple doesn’t want to share this AirPods feature with Meta, but the EU may force its hand
Spring 2027, EU only, built under DMA pressure.
The front of the Ray-Ban Meta smartglasses.

I’ve been an AirPods user for the last four years, and one of the things that makes it genuinely hard to leave behind is the seamless, almost magical pairing experience across devices. Open an AirPods case near your iPhone, and a pop-up appears within seconds. Switch to your Mac and the audio follows. 

However, the experience is limited only to Apple devices. Doesn’t matter whether you have one of the coolest pieces of tech on the market right now; if it’s not Apple, it won’t get the same treatment. However, that might change for the Meta Quest or the Ray-Ban Meta glasses, thanks to pressure from the EU. 

Read more