Tuesday, March 28, 2017

Google Reprimands Cybersecurity Firm Symantec

Last week, Google quietly announced its intent to downgrade the level of trust it places in certificates issued by Symantec, effectively issuing a vote of no confidence in one the internet’s largest certifiers.

Symantec is a massive Certificate Authority (CA), tasked with confirming the authenticity of a website and verifying that the owner is who it says it is. CAs issue certificates vouching for websites of every variety — including those of banks, online retailers, and news outlets– so you can establish secure HTTPS connections with them and trust that you’re communicating with the entity you mean to. Without proper certification, it becomes possible for malicious actors to pose as legitimate websites and monitor communications. Symantec is similar in that regard to your local department of motor vehicles, which issues driver’s licenses to people in order to establish their identity and qualification to operate cars. In 2015, Symantec issued certificates that accounted for 30 percent of the certified Internet. According to Firefox, the security giant is also responsible for 42% of certificate validations.

So Google’s announcement and the charges it’s leveled against Symantec are pretty serious, severely undermining trust in the company and by extension, the large swathes of the web it has vouched for. The search giant has accused Symantec of failing to meet its responsibilities as a CA, and improperly issuing at least 30,000 HTTPS credentials to websites without performing their due diligence.

Effective immediately, Google Chrome will downgrade certificates issued by Symantec-owned issuers. Chrome will remove the “extended validation status” of Symantec-issued certificates for a period of at least one year, until Symantec earns back its trust. Extended validation status provides a higher guarantee to users by displaying the name of the website owner in the left of the address bar.

Chrome will also shorten the length of time Symantec certificates are valid, essentially moving up their expiration dates. It will also gradually nullify current Symantec certificates, requiring websites to replace them with fresh ones over time. This means that Symantec will have to work overtime to re-issue newer and more trustworthy certificates to websites. It may also prevent users from accessing websites with old Symantec-issued certificates, at least not without encountering a bunch of warnings from Chrome.

Google’s decision comes as a huge blow to Symantec and a major headache for Symantec customers, given that Chrome accounts for 58.5% of desktop browser usage and 55.2% of all mobile usage.

Google’s announcement is the culmination of an 18-month long struggle with Symantec over its certification protocols, according to Techcrunch. Back in October 2015, Google discovered that Symantec had improperly issued certificates, making it possible to impersonate a number of Google webpages. As a result, Symantec fired an undisclosed number of employees.

In January of this year, an independent security researcher found evidence that Symantec had misissued 108 new certificates, Ars Technica reports. Since then, Google Chrome has been investigating Symantec’s certification practices and its repeated failures to properly validate certificates.

In a post, Google Chrome software engineer Ryan Sleevi writes: “Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”

Sleevi went on in the post to accuse Symantec of failing to properly oversee four organizations that had access to its infrastructure and neglecting to release timely updates regarding critical security issues, even when they were made public.

In response to these sharp allegations, Symantec has released a statement objecting to Google’s actions and accusing Google of greatly exaggerating the scope of the problem.

“Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm” Symantec wrote. “We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.”

Symantec also announced that the four parties that were responsible for misissuing certificates had been terminated and taken other remediation measures.

In an e-mail, Google wrote: “This remains an ongoing discussion, and we look forward to continuing our conversations with Symantec about this issue. We want to enable an open and transparent assessment of the compatibility and interoperability risks, relative to potential security threats to our users.”

This back-and-forth sniping between the two companies will probably go on for some time, given the stakes.

Want a FREE iPhone 7? Click here to enter our monthly contest for a chance!
Follow us on Apple News by pressing the (+) button at the top of our channel



from http://ift.tt/2nhaTho
via IFTTT

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.