Symantec Owes its Customers Better, But So Does Google.
The ongoing feud between Symantec and the browser community, specifically Google, is bad for the entire SSL industry. Its consequences will undoubtedly be felt across the internet, in ways both seen and unseen. And Symantec must step up to the plate and own a portion of the blame for even letting things get to the point where Google can threaten to remove trust in existing Symantec SSL certificates.
Before we get to that though, I want to level with you. We were split Friday about whether or not to discuss this proposal, made by Google’s Ryan Sleevi. On one hand, Hashed Out prides itself on being an industry leading news source. On the other, despite the fact that Hashed Out generally operates with a considerable degree of autonomy, The SSL Store™ is a very close partner with Symantec.
We offer and support all the Symantec family of brands, we are a seasoned upper-echelon platinum partner and have held a seat on Symantec’s Partner Advisory Council for a number of years. We’ve even purchased furniture together—you could say it’s a serious relationship.
Still, in the interest of maintaining objectivity and addressing some of the questions and feedback that we are fielding from our customers, clients, resellers and the community we feel that we need to discuss this proposal.
Let’s Start With the Proposal to Remove Trust in Existing Symantec SSL Certificates
For anyone who is not aware, on March 23rd, Ryan Sleevi, a Google Software Engineer, published a proposal that would gradually deprecate and remove trust in existing Symantec SSL certificates. The action proposed is:
- A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances [sic] that may arise.
- An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
- Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.
To clarify, this refers to all SSL certificates from the Symantec family of brands (GeoTrust, Thawte, RapidSSL and of course the Symantec brand).
Now, the way we got here is complicated. It starts with Andrew Ayer, an independent researcher, posting about a handful of certificates that appeared to be mis-issued by Symantec. As all the parties involved (Symantec, Google, Mozilla, etc) started looking into the issue, an investigation revealed that there were some problems with Registration Authorities (RAs) that Symantec had partnered with. These RAs had a special partnership with Symantec where they were to handle certificate validation in certain overseas regions where they were more experienced in the language and the way business is done.
However, Google claims that Symantec failed to comply with industry standards and could not provide audits showing the necessary documentation. Because these companies issued certificates in Symantec’s name (and from its root certificates), Google suggests that Symantec was culpable for their failures.
Google seems to have taken issue with the fact that Symantec was unaware of these problems with its partners, and thinks that Symantec neglected to oversee their actions. This event, in combination with a similar compliance issue back in late 2015, has raised a few concerns for Google.
And that ultimately led to the proposal by Sleevi to deprecate and remove trust from Symantec.
One last thing, (for the sake of this discussion) I am referring specifically to Google because it is the only browser that has of yet made a formal proposal. It’s also the most publicly visible. Mozilla is also discussing punitive action. Apple and Microsoft, though considerably less public in their deliberations, typically fall in line with Google and Mozilla.
What Does This Mean?
As it currently stands, if this proposal is accepted, Symantec’s customers are going to be the ones that feel the brunt of the pain. This is going to be extremely disruptive on a lot of fronts, though Google has been very clear and concise about which party deserves the blame for that—and it’s not Google.
For Symantec customers, any existing SSL certificate that isn’t already set to expire in the next few months is going to need to be re-issued and re-installed. Additionally, if you paid for a validity period greater than nine months (which would apply to everyone), you may be out whatever money you paid for months ten and beyond. We envision Symantec will be able remedy this during the renewal process.
And finally, they’re saying if a Symantec customer invested in premium Extended Validation SSL, you would be completely out of luck, Google’s punishment is that Symantec will be without EV privileges for at least a year. So, you would either be stuck with a very expensive DV certificate (because that’s essentially what the browsers will view it as) or you’re simply going to have to find a new Certificate Authority and go through the entire extended validation process once again and waste more money and more time.
Now, Symantec has already rightfully stated that it will take the necessary measures to keep its customers from being negatively affected, but there’s only so much it can do that would be within its own control. While it can (and likely will) easily honor the original validity period that customers purchased by offering free renewals through the originally expected expiration date, it cannot replace the lost EV certificates – and perhaps just as importantly to the customer, the green address bar – nor can it save its customers the time and hassle that would be involved with re-installing all of these newly re-issued certificates.
Even in the most generous of potential outcomes, a good portion of Symantec’s customer base would be impacted through no fault of its own.
Why This is Bad for the Industry
Let’s start this portion of the discussion by acknowledging something that seems to hang over a lot of SSL-related debates that we frequently run into while actively participating in community discussions. There is an entire industry that has popped up around SSL/TLS. There are for-profit CAs, resellers, sub-resellers and a number of other parties that contribute to what has become a billion-dollar global industry.
A lot of folks seem to have a problem with that, there is a subset of people involved in this discussion that doesn’t believe there should be a financial gatekeeper to encryption. As a result of that position, any business-minded input is typically viewed negatively—almost as if it has no place in the conversation.
That is a very myopic perspective. Perhaps, in an ideal world where we knew what the internet was to become, things would have evolved differently. In an ideal world, the developers and engineers that so bemoan the monetization of encryption-related products would have designed the internet to be secure in the first place, thus eliminating any potential for an industry to pop up around a technology like SSL.
Frankly, we can all probably agree that may be a better alternative. But those ideals exist only in the imaginations of the passionate individuals that advocate for them. The reality of the situation is that the internet was not designed securely and by virtue of that there is a commercial SSL industry.
And while that may seem like an abstraction to some – those that don’t deal directly with customers and end users – it doesn’t change that it’s the reality. All I am trying to say is that a software engineer at Google is certainly going to have a far different perspective on our industry than, let’s say, one of our own account managers who deals hands-on with a diverse set of client types and their direct real-life feedback on a daily basis.
Neither are wrong, just very different.
My point is this: real people who have used this extremely popular commercial CA have their businesses, websites and financial livelihoods at stake here.
And no, I’m not talking about the people at Symantec, which is a multi-billion dollar business operation that could literally leave the SSL industry entirely and still stay solvent. I’m talking about the countless others involved directly and indirectly in the SSL industry at any level who are going to really feel the pain.
I’m talking about the IT services providers who are potentially going to have to drop everything and tend to thousands of support inquiries or rework deep integrations. The small business owner who bought a premium security solution and will never hear a peep about Symantec’s hardships, who just took a loss and has to scramble to find a replacement. The large enterprises where it takes six months for any new SSL to be fully adopted into their environment. The site owners that are going to have to figure out how to navigate something they know nothing about yet again. Heck, if we’re being funny, even dear old Aunt Edna, who was told to look for the EV indicator in the URL when accessing her bank account online to reduce her phishing risk, is now back to stuffing wads of dollar bills and piles of loose change inside her mattress because she’s now skeptical about online banking again.
All kidding aside though, I’m talking about potential dis-trust towards websites that should absolutely still be trusted to the fullest extent.
While this may not necessarily put most companies and organizations out of business, this proposal will undoubtedly result in the loss of money and other precious resources, in addition to having a butterfly effect down to the average web user. Businesses don’t like losing money. They also don’t like wasting resources like time and man hours on projects that they have already properly addressed.
Which leads to the more salient point, this move could potentially damage the public’s faith in SSL and encryption at a very inopportune time. It’s no secret that the browsers are moving rapidly to mandate encryption. Funny enough, it began with the Google Chrome team itself back in 2014 when it announced that SSL is now a ranking signal in its algorithm. Recently, the shift to “secure”/”not secure” visual indicators is the most overt move yet in terms of pushing sites toward end-to-end encryption.
As a result, for many individual website owners, as well as an unfortunate number of businesses and organizations, this may be their first experience with SSL/TLS encryption. Symantec has historically enjoyed a reputation as one of the premier Certificate Authorities in the world. You can’t fault someone for choosing a Symantec product, especially considering that the majority of these customers aren’t keeping up with the CA/Browser Forum or following Google and Mozilla’s back-and-forth with Symantec.
That means for many people, their first experience with this newly required security solution (for which there is no real alternative) will be a negative one. They will have paid top dollar to purchase from a reputable brand and then that product will not only fail to deliver on their expectations, it may even end up causing them to lose money.
And keep in mind, these aren’t software engineers and security experts, these are business professionals that probably aren’t going to bother to read long, highly technical descriptions of what happened and why these actions were justified, etc. They’re going to boil it down to its most basic level—as is common in business.
There are three ways they might look at this: first, they will undoubtedly blame Symantec.
Second, they’re going to blame Google. Despite its best effort, Google is not going to come out of this unscathed.
And finally, those negatively affected by this proposal may reassess their opinion of SSL altogether. And we’re probably not going to like the conclusions they reach. Whether it’s starting to believe that SSL is some kind of racket, or it’s an inability to trust the technology moving forward—nothing about what’s being proposed is going to improve attitudes towards SSL.
While to people who are fully informed, this is a very specific debate about validation practices, policies and accountability (which I totally get), to the average person it’s going to look like two mega-corporations, Google and Symantec, fighting about a product and totally screwing over a bunch of innocent people in the process.
Nobody wins in this situation. Everyone loses, it just varies to what degree.
What Needs to Happen
The solution for this issue isn’t simple. On one hand, Symantec certainly needs to tighten some things up. To be fair, Google has given Symantec ample warning and opportunities to become compliant with its standards/expectations and Symantec apparently is yet to achieve that. Whether or not it’s fair that Google (and the other browsers) impose those requirements on Symantec is frankly irrelevant at this point, Symantec has a responsibility to its customers that should supersede that question.
But Google also needs to be more careful with the power it wields. In many ways, these actions seem less designed to force compliance and more designed to damage the business interests of Symantec. Nine months is an extremely irregular length of time for certificate validity and one could argue that this requirement places Symantec at an obvious competitive disadvantage. Additionally, by removing EV status for a year, Google is essentially cratering Symantec’s entire EV SSL operation. Most of Symantec’s existing EV customers will leave, and its credibility will be forever strained once the program comes back.
Granted, this is really Symantec’s problem—not Google’s. But the optics are terrible all around. And any conspiracy-minded individual doesn’t have to stretch very far to cobble together a narrative.
The two companies need to come together – a feat that shouldn’t be difficult considering their headquarters are located across the street from one another – and discuss a solution that both forces Symantec to address the issues Google has raised head-on, while also minimizing the amount of undue hardship on other, under-represented members of the SSL industry. You know, those who use and depend on it for normal business operation in real life. This is not the time for posturing, or for an unyielding adherence to policy, nor is it the time debate two contrasting philosophies on SSL—this is the time for pragmatism.
This debate isn’t occurring in a vacuum. There are real consequences and real collateral at stake here—it’s not an exaggeration to say this will affect peoples’ livelihood. Maybe Symantec doesn’t deserve the benefit of the doubt from Google, but Symantec’s customers sure do. Now is the time to find a solution that remediates Symantec’s issues while also preventing undue hardship on literally tens of thousands of individuals, companies, and organizations.
Because their voice is ours—and the implications of this proposal are far too wide-reaching for it to be ignored.