There Are No Winners in the Google/Symantec Feud
1 Star2 Stars3 Stars4 Stars5 Stars (14 votes, average: 4.36 out of 5)
Loading...

There Are No Winners in the Google/Symantec Feud

Symantec Owes its Customers Better, But So Does Google.

The ongoing feud between Symantec and the browser community, specifically Google, is bad for the entire SSL industry. Its consequences will undoubtedly be felt across the internet, in ways both seen and unseen. And Symantec must step up to the plate and own a portion of the blame for even letting things get to the point where Google can threaten to remove trust in existing Symantec SSL certificates.

Before we get to that though, I want to level with you. We were split Friday about whether or not to discuss this proposal, made by Google’s Ryan Sleevi. On one hand, Hashed Out prides itself on being an industry leading news source. On the other, despite the fact that Hashed Out generally operates with a considerable degree of autonomy, The SSL Store™ is a very close partner with Symantec.

We offer and support all the Symantec family of brands, we are a seasoned upper-echelon platinum partner and have held a seat on Symantec’s Partner Advisory Council for a number of years. We’ve even purchased furniture together—you could say it’s a serious relationship.

Still, in the interest of maintaining objectivity and addressing some of the questions and feedback that we are fielding from our customers, clients, resellers and the community we feel that we need to discuss this proposal.

Let’s Start With the Proposal to Remove Trust in Existing Symantec SSL Certificates

For anyone who is not aware, on March 23rd, Ryan Sleevi, a Google Software Engineer, published a proposal that would gradually deprecate and remove trust in existing Symantec SSL certificates. The action proposed is:

  • A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances [sic] that may arise.
  • An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.
  • Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.

To clarify, this refers to all SSL certificates from the Symantec family of brands (GeoTrust, Thawte, RapidSSL and of course the Symantec brand).

Now, the way we got here is complicated. It starts with Andrew Ayer, an independent researcher, posting about a handful of certificates that appeared to be mis-issued by Symantec. As all the parties involved (Symantec, Google, Mozilla, etc) started looking into the issue, an investigation revealed that there were some problems with Registration Authorities (RAs) that Symantec had partnered with. These RAs had a special partnership with Symantec where they were to handle certificate validation in certain overseas regions where they were more experienced in the language and the way business is done.

However, Google claims that Symantec failed to comply with industry standards and could not provide audits showing the necessary documentation. Because these companies issued certificates in Symantec’s name (and from its root certificates), Google suggests that Symantec was culpable for their failures.

Google seems to have taken issue with the fact that Symantec was unaware of these problems with its partners, and thinks that Symantec neglected to oversee their actions. This event, in combination with a similar compliance issue back in late 2015, has raised a few concerns for Google.

And that ultimately led to the proposal by Sleevi to deprecate and remove trust from Symantec.

One last thing, (for the sake of this discussion) I am referring specifically to Google because it is the only browser that has of yet made a formal proposal. It’s also the most publicly visible. Mozilla is also discussing punitive action. Apple and Microsoft, though considerably less public in their deliberations, typically fall in line with Google and Mozilla.

What Does This Mean?

As it currently stands, if this proposal is accepted, Symantec’s customers are going to be the ones that feel the brunt of the pain. This is going to be extremely disruptive on a lot of fronts, though Google has been very clear and concise about which party deserves the blame for that—and it’s not Google.

For Symantec customers, any existing SSL certificate that isn’t already set to expire in the next few months is going to need to be re-issued and re-installed. Additionally, if you paid for a validity period greater than nine months (which would apply to everyone), you may be out whatever money you paid for months ten and beyond. We envision Symantec will be able remedy this during the renewal process.

And finally, they’re saying if a Symantec customer invested in premium Extended Validation SSL, you would be completely out of luck, Google’s punishment is that Symantec will be without EV privileges for at least a year. So, you would either be stuck with a very expensive DV certificate (because that’s essentially what the browsers will view it as) or you’re simply going to have to find a new Certificate Authority and go through the entire extended validation process once again and waste more money and more time.

Now, Symantec has already rightfully stated that it will take the necessary measures to keep its customers from being negatively affected, but there’s only so much it can do that would be within its own control. While it can (and likely will) easily honor the original validity period that customers purchased by offering free renewals through the originally expected expiration date, it cannot replace the lost EV certificates – and perhaps just as importantly to the customer, the green address bar – nor can it save its customers the time and hassle that would be involved with re-installing all of these newly re-issued certificates.

Even in the most generous of potential outcomes, a good portion of Symantec’s customer base would be impacted through no fault of its own.

Why This is Bad for the Industry

Let’s start this portion of the discussion by acknowledging something that seems to hang over a lot of SSL-related debates that we frequently run into while actively participating in community discussions. There is an entire industry that has popped up around SSL/TLS. There are for-profit CAs, resellers, sub-resellers and a number of other parties that contribute to what has become a billion-dollar global industry.

A lot of folks seem to have a problem with that, there is a subset of people involved in this discussion that doesn’t believe there should be a financial gatekeeper to encryption. As a result of that position, any business-minded input is typically viewed negatively—almost as if it has no place in the conversation.

That is a very myopic perspective. Perhaps, in an ideal world where we knew what the internet was to become, things would have evolved differently. In an ideal world, the developers and engineers that so bemoan the monetization of encryption-related products would have designed the internet to be secure in the first place, thus eliminating any potential for an industry to pop up around a technology like SSL.

Frankly, we can all probably agree that may be a better alternative. But those ideals exist only in the imaginations of the passionate individuals that advocate for them. The reality of the situation is that the internet was not designed securely and by virtue of that there is a commercial SSL industry.

And while that may seem like an abstraction to some – those that don’t deal directly with customers and end users – it doesn’t change that it’s the reality. All I am trying to say is that a software engineer at Google is certainly going to have a far different perspective on our industry than, let’s say, one of our own account managers who deals hands-on with a diverse set of client types and their direct real-life feedback on a daily basis.

Neither are wrong, just very different.

My point is this: real people who have used this extremely popular commercial CA have their businesses, websites and financial livelihoods at stake here.

And no, I’m not talking about the people at Symantec, which is a multi-billion dollar business operation that could literally leave the SSL industry entirely and still stay solvent. I’m talking about the countless others involved directly and indirectly in the SSL industry at any level who are going to really feel the pain.

I’m talking about the IT services providers who are potentially going to have to drop everything and tend to thousands of support inquiries or rework deep integrations. The small business owner who bought a premium security solution and will never hear a peep about Symantec’s hardships, who just took a loss and has to scramble to find a replacement. The large enterprises where it takes six months for any new SSL to be fully adopted into their environment. The site owners that are going to have to figure out how to navigate something they know nothing about yet again. Heck, if we’re being funny, even dear old Aunt Edna, who was told to look for the EV indicator in the URL when accessing her bank account online to reduce her phishing risk, is now back to stuffing wads of dollar bills and piles of loose change inside her mattress because she’s now skeptical about online banking again.

All kidding aside though, I’m talking about potential dis-trust towards websites that should absolutely still be trusted to the fullest extent.

While this may not necessarily put most companies and organizations out of business, this proposal will undoubtedly result in the loss of money and other precious resources, in addition to having a butterfly effect down to the average web user. Businesses don’t like losing money. They also don’t like wasting resources like time and man hours on projects that they have already properly addressed.

Which leads to the more salient point, this move could potentially damage the public’s faith in SSL and encryption at a very inopportune time. It’s no secret that the browsers are moving rapidly to mandate encryption. Funny enough, it began with the Google Chrome team itself back in 2014 when it announced that SSL is now a ranking signal in its algorithm.  Recently, the shift to “secure”/”not secure” visual indicators is the most overt move yet in terms of pushing sites toward end-to-end encryption.

As a result, for many individual website owners, as well as an unfortunate number of businesses and organizations, this may be their first experience with SSL/TLS encryption. Symantec has historically enjoyed a reputation as one of the premier Certificate Authorities in the world. You can’t fault someone for choosing a Symantec product, especially considering that the majority of these customers aren’t keeping up with the CA/Browser Forum or following Google and Mozilla’s back-and-forth with Symantec.

That means for many people, their first experience with this newly required security solution (for which there is no real alternative) will be a negative one. They will have paid top dollar to purchase from a reputable brand and then that product will not only fail to deliver on their expectations, it may even end up causing them to lose money.

And keep in mind, these aren’t software engineers and security experts, these are business professionals that probably aren’t going to bother to read long, highly technical descriptions of what happened and why these actions were justified, etc. They’re going to boil it down to its most basic level—as is common in business.

There are three ways they might look at this: first, they will undoubtedly blame Symantec.

Second, they’re going to blame Google. Despite its best effort, Google is not going to come out of this unscathed.

And finally, those negatively affected by this proposal may reassess their opinion of SSL altogether. And we’re probably not going to like the conclusions they reach. Whether it’s starting to believe that SSL is some kind of racket, or it’s an inability to trust the technology moving forward—nothing about what’s being proposed is going to improve attitudes towards SSL.

While to people who are fully informed, this is a very specific debate about validation practices, policies and accountability (which I totally get), to the average person it’s going to look like two mega-corporations, Google and Symantec, fighting about a product and totally screwing over a bunch of innocent people in the process.

Nobody wins in this situation. Everyone loses, it just varies to what degree.

What Needs to Happen

The solution for this issue isn’t simple. On one hand, Symantec certainly needs to tighten some things up. To be fair, Google has given Symantec ample warning and opportunities to become compliant with its standards/expectations and Symantec apparently is yet to achieve that. Whether or not it’s fair that Google (and the other browsers) impose those requirements on Symantec is frankly irrelevant at this point, Symantec has a responsibility to its customers that should supersede that question.

But Google also needs to be more careful with the power it wields. In many ways, these actions seem less designed to force compliance and more designed to damage the business interests of Symantec. Nine months is an extremely irregular length of time for certificate validity and one could argue that this requirement places Symantec at an obvious competitive disadvantage. Additionally, by removing EV status for a year, Google is essentially cratering Symantec’s entire EV SSL operation. Most of Symantec’s existing EV customers will leave, and its credibility will be forever strained once the program comes back.

Granted, this is really Symantec’s problem—not Google’s. But the optics are terrible all around. And any conspiracy-minded individual doesn’t have to stretch very far to cobble together a narrative.

The two companies need to come together – a feat that shouldn’t be difficult considering their headquarters are located across the street from one another – and discuss a solution that both forces Symantec to address the issues Google has raised head-on, while also minimizing the amount of undue hardship on other, under-represented members of the SSL industry. You know, those who use and depend on it for normal business operation in real life. This is not the time for posturing, or for an unyielding adherence to policy, nor is it the time debate two contrasting philosophies on SSL—this is the time for pragmatism.

This debate isn’t occurring in a vacuum. There are real consequences and real collateral at stake here—it’s not an exaggeration to say this will affect peoples’ livelihood. Maybe Symantec doesn’t deserve the benefit of the doubt from Google, but Symantec’s customers sure do. Now is the time to find a solution that remediates Symantec’s issues while also preventing undue hardship on literally tens of thousands of individuals, companies, and organizations.

Because their voice is ours—and the implications of this proposal are far too wide-reaching for it to be ignored.

13 comments
  • Much better the negligable risk that people mistrust a real site that given nine months notice cannot update their certificate, than destroy all trust in the industry when people get tricked into trusting a fake one due to miss-issued certificates.

  • I feel sorry for companies like yours which are going to be hit hard. And customers from Symantec (most of the Internet) as well. Personally, we also have EV’s from Symantec, and we also resell certificates so of course this is going to affect us. But in the end, this could be for the better.

    The only thing a CA should do is provide trust. And Symantec failed here. Not only once, but hundreds or thousands of times if we agree with Google’s statement. Even if we go with Symantec’s statement, hundreds of fake issued certificates can’t be considered an innocent mistake. There were malicious intentions on the part of Symantec or their employees, and I didn’t hear Symantec pushing charges either. The opposite, they said they were outstanding employees that committed some mistakes.

    Some mistakes? A few hundred or thousands. Google has very clear motives to do what they are doing. They didn’t say it in public, but basically, they are accusing Symantec of not being trustworthy and probably be in bed with some government agency to tap into companies encrypted connections. There is no other explanation.

    Don’t forget that one of the issued wrong certs was for Google.com itself. The errors were not innocent mistakes. They were to tap into big tech companies and while Symantec claimed they were not out in public you must trust their worth on that, and confidence is the last thing they currently have.

    If you can’t trust the CA, you can’t trust their certs, and if you can’t trust the cert keys, all your connection and encryption is fundamentally compromised. This is in no way the end of the world. There are plenty of other companies offering certificates, some are trustworthy, and they will be happy to take Symantec customers. Putting all your eggs in one basket is a mistake on your part. You should be expanding your offerings to include more CA vendors and problem solved. Then create a proper transfer or migration program for current customers.

    Convert this into a business opportunity. You will probably lose your super Symantec partnership deal but you can make money by helping and assisting customers to migrate their certs to another CA. Strike an even better deal with them. Symantec is the only one to blame and what Google is asking is fair. They want Symantec to make public and log every single cert issued as they don’t trust them anymore. And to be honest, neither should anyone else at this point.

  • Patrick, thank you for this a great article, and Netz0 comment is interesting too. No doubt Symantec failed and they have to react with strong proposal to keep its customers and partner trust (my company is also a Symantec partner).

    But there’s one remaining concern I have which is what will be the next step from Google, what is their plan for the entire industry ?

    Creating distrust with the first CA will have consequences on the entire SSL industry as you mentionned. Google wish to delete the EV status for a while now (not only Symantec), shorten the certificate duration (ref last ballot at the CAB forum) and strongly supports Let’sEncrypt. All in all this means they see SSL as encryption only and they don’t consider the authentication side as a critical element, while pushing for Google Safe Browsing as the reference tool to guarantee a website content. On top of that Google and LE clearly mention the CAs are not responsible for phishing prevention.

    All in all, I am not sure what will be the outcome of this story, but I am concerned with the “secure” word in the adress bar not meaning secure at all, and Google is playing a dangerous game here in creating also distrust for the internet users.

  • Let’s be honest. This isn’t the first time Google has done this, despite what it seems. They and Mozilla have already nailed StartSSL for certificate problems. If Mozilla, Microsoft, and Apple follow suit, then I think you can determine that Symantec is mostly to blame – especially if they’ve been warned about this months in advance. My only issue with all of this is the weirdness of requiring sites to have SSL for Google’s ranking algorithm. Most sites don’t have ANY use for SSL, at least for the front end. Does it matter if reading a blog about bubble gum is encrypted?

  • I am agree with Christophe. Definitely Symantec has done a terrible mistake. It is simply not possible one can do same mistake in hundred or thousand times. And it is going to effect entire industry. I have also seen so many phishing sites using Lets’ Encrypt SSL and google is strongly supporting Lets’ Encrypt then google should should punish Lets Encrypt too for not maintaining their trust level. There are some serious issue with chrome browser too. According to Wordfence research, It is even showing revoked SSL as secure. So no one is fair in this game.

  • Google was already implicated in the Snowden documents to be aiding government entities by providing tunnels to their data from behind their firewalls. Now, they push for LetsEncrypt to become the defect standard too. Interestingly, LetsEncrypt’s parent company (and trust anchor) should be carefully looked at in regards to their work and efforts with the Federal Bridge and associated CA architectures. Were they contractually required to disclose root private keys to be considers for that program? Now they are the trust anchor for the free SSL option that Google is pushing too. It’s all too convenient to see the trust anchors slowly being eroded from the internet and “trust” being place on a single, possibly compromised, entity.

    • There is also possibility that Google or some individuals in Google not suspect but KNOWS there are Symantec certificates used for eavesdropping but are not allowed to talk about it. You may not trust Google but consider this: what company have bigger chance against government requests, big or small one?

  • Its simple. As the internet has progressed the SSL/TLS Handshake has been deemed by any Tech savvy person as something that should be slowly De-Monetized. Its cruel marketing to make computer illiterate people spend hundreds/thousands of dollars on Symantec family Certificates when all they need is a domain Validated Certificate like Lets Encrypt or a Comodo $3 Positive–Lets be honest–No one looks at site seals. As we progress forward the Green padlock does not mean you can Trust a website or its Databases, Frontend,. UI, or its back-end. HTTPS is not a SOLUTION to “hey my website is safe and secure now.” Website Security should be dealt with the highest degree, more than a Certificate otherwise hacks will keep on happening. SSL will be automated in the near future and there will be other tools web devs and owners use to gauge Website Security. There will always be CAs but they will be like LetsEncrypt or LetsHashitUP CAs with great web tools that offer 9 month auto-renewing Certs and great dev tools along with a community where people contribute to making SSL pain-free. The internet is going in that direction whether you guys like it or not. I hope you guys can re-position yourselves and continue to offer great customer service to the next big website security product.

  • On the contrary, the people who win (browser users) are far greater in number than the people who lose (the ssl cert industry and the relatively few sysadmins that have to add the task of purchasing and switching to a new cert to their task list). The entire system is built on trust. If browser vendors can’t trust that a CA is running its business properly, the CA shouldn’t be in business. It’s that simple. If a CA doesn’t think there should be consequences for exposing their customers to risks, then they clearly don’t exist for the purpose of increasing security on the web and should be regarded as a racket.

  • Wait! I’m a non-tech researching how to make my website secure and there are people on here talking about the U.S. government using SSL technology to spy secretely on companies??!! And Trump is the president and has a lot of incentive to spy on other companies. WHAT THE HELL!! Please explain more!

  • Q: What company have bigger chance against government requests, big or small one?
    A: The one that cares, i.e. the not-for-profit one, the small one. Due to the Patriot Act probably all U.S. companies are under pressure to provide backdoors for the government. I provide websites to human rights groups, police brutality groups, freedom of speech groups and other nonprofits who regularly sue the U.S. government. SSL cert from a non-U.S., trustworthy cert?

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald. He also serves as Content Manager for The SSL Store™.