{"id":3857,"date":"2017-03-29T12:41:45","date_gmt":"2017-03-29T16:41:45","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=3857"},"modified":"2021-06-11T15:08:44","modified_gmt":"2021-06-11T19:08:44","slug":"remove-trust-in-existing-symantec-ssl-certificates","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/remove-trust-in-existing-symantec-ssl-certificates\/","title":{"rendered":"There Are No Winners in the Google\/Symantec Feud"},"content":{"rendered":"<h2>Symantec Owes its Customers Better, But So Does Google.<\/h2>\n<p>The ongoing feud between Symantec and the browser community, specifically Google, is bad for the entire SSL industry. Its consequences will undoubtedly be felt across the internet, in ways both seen and unseen. And Symantec must step up to the plate and own a portion of the blame for even letting things get to the point where Google can threaten to remove trust in existing Symantec SSL certificates.<\/p>\n<p>Before we get to that though, I want to level with you. We were split Friday about whether or not to discuss this proposal, <a href=\"https:\/\/groups.google.com\/a\/chromium.org\/d\/msg\/blink-dev\/eUAKwjihhBs\/rpxMXjZHCQAJ\" rel=\"nofollow\">made by Google\u2019s Ryan Sleevi<\/a>. On one hand, <em>Hashed Out<\/em>\u00a0prides itself on being an industry leading news source. On the other, despite the fact that <em>Hashed Out<\/em> generally operates with a considerable degree of autonomy, The SSL Store&#x2122; is a very close partner with Symantec.<\/p>\n<p>We offer and support all the Symantec family of brands, we are a seasoned upper-echelon platinum partner and have held a seat on Symantec\u2019s Partner Advisory Council for a number of years. We\u2019ve even purchased furniture together\u2014you could say it\u2019s a serious relationship.<\/p>\n<p>Still, in the interest of maintaining objectivity and addressing some of the questions and feedback that we are fielding from our customers, clients, resellers and the community we feel that we need to discuss this proposal.<\/p>\n<h2>Let\u2019s Start With the Proposal to Remove Trust in Existing Symantec SSL Certificates<\/h2>\n<p>For anyone who is not aware, on March 23rd, Ryan Sleevi, a Google Software Engineer, published a proposal that would gradually deprecate and remove trust in existing Symantec SSL certificates. The action proposed is:<\/p>\n<ul>\n<li>A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances [sic] that may arise.<\/li>\n<li>An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced.<\/li>\n<li>Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.<\/li>\n<\/ul>\n<p>To clarify, this refers to all SSL certificates from the Symantec family of brands (GeoTrust, Thawte, <a class=\"wpil_keyword_link \" href=\"https:\/\/www.thesslstore.com\/rapidssl\/rapidssl-certificates.aspx\"  title=\"RapidSSL\" data-wpil-keyword-link=\"linked\">RapidSSL<\/a> and of course the Symantec brand).<\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<p>Now, the way we got here is complicated. It starts with Andrew Ayer, an independent researcher, <a href=\"https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/fyJ3EK2YOP8\" rel=\"nofollow\">posting about a handful of certificates that appeared to be mis-issued by Symantec<\/a>. As all the parties involved (Symantec, Google, Mozilla, etc) started looking into the issue, an investigation revealed that there were some problems with <em>Registration Authorities <\/em>(RAs) that Symantec had partnered with. These RAs had a special partnership with Symantec where they were to handle certificate validation in certain overseas regions where they were more experienced in the language and the way business is done.<\/p>\n<p>However, Google claims that Symantec failed to comply with industry standards and could not provide audits showing the necessary documentation. Because these companies issued certificates in Symantec\u2019s name (and from its root certificates), Google suggests that Symantec was culpable for their failures.<\/p>\n<p>Google seems to have taken issue with the fact that Symantec was unaware of these problems with its partners, and thinks that Symantec neglected to oversee their actions. This event, in combination with a <a href=\"https:\/\/www.thesslstore.com\/blog\/symantec-google-working-together-to-solve-mis-issuance-errors\/\">similar compliance issue back in late 2015<\/a>, has raised a few concerns for Google.<\/p>\n<p>And that ultimately led to the proposal by Sleevi to deprecate and remove trust from Symantec.<\/p>\n<p>One last thing, (for the sake of this discussion) I am referring specifically to Google because it is the only browser that has of yet made a formal proposal. It\u2019s also the most publicly visible. Mozilla is also discussing punitive action. Apple and Microsoft, though considerably less public in their deliberations, typically fall in line with Google and Mozilla.<\/p>\n<h2>What Does This Mean?<\/h2>\n<p>As it currently stands, if this proposal is accepted, Symantec\u2019s customers are going to be the ones that feel the brunt of the pain. This is going to be extremely disruptive on a lot of fronts, though Google has been very clear and concise about which party deserves the blame for that\u2014and it&#8217;s not Google.<\/p>\n<p>For Symantec customers, any existing SSL certificate that isn\u2019t already set to expire in the next few months is going to need to be re-issued and re-installed. Additionally, if you paid for a validity period greater than nine months (which would apply to everyone), you may be out whatever money you paid for months ten and beyond. We envision Symantec will be able remedy this during the renewal process.<\/p>\n<p>And finally, they\u2019re saying if a Symantec customer invested in premium Extended Validation SSL, you would be completely out of luck, Google\u2019s punishment is that Symantec will be without EV privileges for at least a year. So, you would either be stuck with a very expensive DV certificate (because that\u2019s essentially what the browsers will view it as) or you\u2019re simply going to have to find a new Certificate Authority and go through the entire extended validation process once again and waste more money and more time.<\/p>\n<p>Now, Symantec has already rightfully stated that it will take the necessary measures to keep its customers from being negatively affected, but there\u2019s only so much it can do that would be within its own control. While it can (and likely will) easily honor the original validity period that customers purchased by offering free renewals through the originally expected expiration date, it cannot replace the lost EV certificates \u2013 and perhaps just as importantly to the customer, the green address bar \u2013 nor can it save its customers the time and hassle that would be involved with re-installing all of these newly re-issued certificates.<\/p>\n<p>Even in the most generous of potential outcomes, a good portion of Symantec\u2019s customer base would be impacted through no fault of its own.<\/p>\n<h2>Why This is Bad for the Industry<\/h2>\n<p>Let\u2019s start this portion of the discussion by acknowledging something that seems to hang over a lot of SSL-related debates that we frequently run into while actively participating in community discussions. There is an entire industry that has popped up around SSL\/TLS. There are for-profit CAs, resellers, sub-resellers and a number of other parties that contribute to what has become a billion-dollar global industry.<\/p>\n<p>A lot of folks seem to have a problem with that, there is a subset of people involved in this discussion that doesn\u2019t believe there should be a financial gatekeeper to encryption. As a result of that position, any business-minded input is typically viewed negatively\u2014almost as if it has no place in the conversation.<\/p>\n<p>That is a very myopic perspective. Perhaps, in an ideal world where we knew what the internet was to become, things would have evolved differently. In an ideal world, the developers and engineers that so bemoan the monetization of encryption-related products would have designed the internet to be secure in the first place, thus eliminating any potential for an industry to pop up around a technology like SSL.<\/p>\n<p>Frankly, we can all probably agree that may be a better alternative. But those ideals exist only in the imaginations of the passionate individuals that advocate for them. The reality of the situation is that the internet was not designed securely and by virtue of that there is a commercial SSL industry.<\/p>\n<p>And while that may seem like an abstraction to some \u2013 those that don\u2019t deal directly with customers and end users \u2013 it doesn\u2019t change that it\u2019s the reality. All I am trying to say is that a software engineer at Google is certainly going to have a far different perspective on our industry than, let\u2019s say, one of our own account managers who deals hands-on with a diverse set of client types and their direct real-life feedback on a daily basis.<\/p>\n<p>Neither are wrong, just very different.<\/p>\n<p>My point is this: real people who have used this extremely popular commercial CA have their businesses, websites and financial livelihoods at stake here.<\/p>\n<p>And no, I\u2019m not talking about the people at Symantec, which is a multi-billion dollar business operation that could literally leave the SSL industry entirely and still stay solvent. I\u2019m talking about the countless others involved directly and indirectly in the SSL industry at any level who are going to really feel the pain.<\/p>\n<p>I\u2019m talking about the IT services providers who are potentially going to have to drop everything and tend to thousands of support inquiries or rework deep integrations. The small business owner who bought a premium security solution and will never hear a peep about Symantec\u2019s hardships, who just took a loss and has to scramble to find a replacement. The large enterprises where it takes six months for any new SSL to be fully adopted into their environment. The site owners that are going to have to figure out how to navigate something they know nothing about yet again. Heck, if we&#8217;re being funny, even dear old Aunt Edna, who was told to look for the EV indicator in the URL when accessing her bank account online to reduce her phishing risk, is now back to stuffing wads of dollar bills and piles of loose change inside her mattress because she&#8217;s now skeptical about online banking again.<\/p>\n<p>All kidding aside though, I\u2019m talking about potential dis-trust towards websites that should absolutely still be trusted to the fullest extent.<\/p>\n<p>While this may not necessarily put most companies and organizations out of business, this proposal will undoubtedly result in the loss of money and other precious resources, in addition to having a butterfly effect down to the average web user. Businesses don\u2019t like losing money. They also don\u2019t like wasting resources like time and man hours on projects that they have already properly addressed.<\/p>\n<p>Which leads to the more salient point, this move could potentially damage the public\u2019s faith in SSL and encryption at a very inopportune time. It\u2019s no secret that the browsers are moving rapidly to mandate encryption. Funny enough, it began with the Google Chrome team itself back in 2014 when it announced that SSL is now a ranking signal in its algorithm. \u00a0Recently, the shift to \u201csecure\u201d\/\u201dnot secure\u201d visual indicators is the most overt move yet in terms of pushing sites toward end-to-end encryption.<\/p>\n<p>As a result, for many individual website owners, as well as an unfortunate number of businesses and organizations, this may be their first experience with SSL\/TLS encryption. Symantec has historically enjoyed a reputation as one of the premier Certificate Authorities in the world. You can\u2019t fault someone for choosing a Symantec product, especially considering that the majority of these customers aren\u2019t keeping up with the CA\/Browser Forum or following Google and Mozilla\u2019s back-and-forth with Symantec.<\/p>\n<p>That means for many people, their first experience with this newly required security solution (for which there is no real alternative) will be a negative one. They will have paid top dollar to purchase from a reputable brand and then that product will not only fail to deliver on their expectations, it may even end up causing them to lose money.<\/p>\n<p>And keep in mind, these aren\u2019t software engineers and security experts, these are business professionals that probably aren\u2019t going to bother to read long, highly technical descriptions of what happened and why these actions were justified, etc. They\u2019re going to boil it down to its most basic level\u2014as is common in business.<\/p>\n<p>There are three ways they might look at this: first, they will undoubtedly blame Symantec.<\/p>\n<p>Second, they\u2019re going to blame Google. Despite its best effort, Google is not going to come out of this unscathed.<\/p>\n<p>And finally, those negatively affected by this proposal may reassess their opinion of SSL altogether. And we\u2019re probably not going to like the conclusions they reach. Whether it\u2019s starting to believe that SSL is some kind of racket, or it\u2019s an inability to trust the technology moving forward\u2014nothing about what\u2019s being proposed is going to improve attitudes towards SSL.<\/p>\n<p>While to people who are fully informed, this is a very specific debate about validation practices, policies and accountability (which I totally get), to the average person it\u2019s going to look like two mega-corporations, Google and Symantec, fighting about a product and totally screwing over a bunch of innocent people in the process.<\/p>\n<p>Nobody wins in this situation. Everyone loses, it just varies to what degree.<\/p>\n<h2>What Needs to Happen<\/h2>\n<p>The solution for this issue isn\u2019t simple. On one hand, Symantec certainly needs to tighten some things up. To be fair, Google has given Symantec ample warning and opportunities to become compliant with its standards\/expectations and Symantec apparently is yet to achieve that. Whether or not it\u2019s fair that Google (and the other browsers) impose those requirements on Symantec is frankly irrelevant at this point, Symantec has a responsibility to its customers that should supersede that question.<\/p>\n<p>But Google also needs to be more careful with the power it wields. In many ways, these actions seem less designed to force compliance and more designed to damage the business interests of Symantec. Nine months is an extremely irregular length of time for certificate validity and one could argue that this requirement places Symantec at an obvious competitive disadvantage. Additionally, by removing EV status for a year, Google is essentially cratering Symantec\u2019s entire EV SSL operation. Most of Symantec\u2019s existing EV customers will leave, and its credibility will be forever strained once the program comes back.<\/p>\n<p>Granted, this is really Symantec\u2019s problem\u2014not Google\u2019s. But the optics are terrible all around. And any conspiracy-minded individual doesn\u2019t have to stretch very far to cobble together a narrative.<\/p>\n<p>The two companies need to come together \u2013 a feat that shouldn\u2019t be difficult considering their headquarters are located across the street from one another \u2013 and discuss a solution that both forces Symantec to address the issues Google has raised head-on, while also minimizing the amount of undue hardship on other, under-represented members of the SSL industry. You know, those who use and depend on it for normal business operation in real life. This is not the time for posturing, or for an unyielding adherence to policy, nor is it the time debate two contrasting philosophies on SSL\u2014this is the time for pragmatism.<\/p>\n<p>This debate isn\u2019t occurring in a vacuum. There are real consequences and real collateral at stake here\u2014it\u2019s not an exaggeration to say this will affect peoples\u2019 livelihood. Maybe Symantec doesn\u2019t deserve the benefit of the doubt from Google, but Symantec\u2019s customers sure do. Now is the time to find a solution that remediates Symantec\u2019s issues while also preventing undue hardship on literally tens of thousands of individuals, companies, and organizations.<\/p>\n<p>Because their voice is ours\u2014and the implications of this proposal are far too wide-reaching for it to be ignored.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Symantec Owes its Customers Better, But So Does Google. The ongoing feud between Symantec and the browser community, specifically Google, is bad for the entire SSL industry. Its consequences will&#8230;<\/p>\n","protected":false},"author":6,"featured_media":3861,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[583,366,131,582,467,139],"class_list":["post-3857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-certificate-validity","tag-ev-ssl","tag-google","tag-ryan-sleevi","tag-ssltls","tag-symantec","post-with-tags"],"views":25376,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/03\/gettyimages-103633957.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=3857"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3857\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/3861"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=3857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=3857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=3857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}