sb-nz logo
Story image

INTERVIEW: What Google’s decision to distrust Symantec certificates means

21 Feb 2018

Last year Chrome announced a formal plan to remove trust from Symantec-issued certificates.

This came after researchers affiliated with Google determined that Symantec and their affiliated Certificate Authorities (CAs) had ‘mis-issued’ thousands of transport layer security (TLS) certificates.

Venafi product manager for cloud products Walter Goulet says this is only the beginning of a growing tension between browsers and CAs.

“Concern about certificate issuance practices from browser companies is not a new phenomenon,” says Goulet.

“However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry.”

In terms of the immediate implications of Google Chrome’s decision, Goulet says websites that are currently operating with Symantec certificates need to take action now.

“Google and DigiCert/Symantec have been providing guidance on transition plans to help customers avoid being impacted due to the Symantec distrust event. However, website operators that don’t take action will find unexpected browser warnings preventing their customers from accessing their services,” Goulet says.

“Website operators need to immediately consider how they will replace their certificates and follow the guidance that has been provided by DigiCert after they acquired the Symantec business. Website operators should take this opportunity to investigate their processes and toolsets used to manage certificates and invest in automation and shorter lifetime certificates to reduce impact from possible future CA distrust events.”

Goulet says Google Chrome’s ban of Symantec certificates highlights just how much power browser makers have over certificate authorities – in this case, Google has flexed its power to demand that hundreds of thousands of Symantec certificates around the world be replaced before October.

“In the face of this sort of threat, CAs need to evolve their business models to future-proof their industry and Google’s action definitely sends a message to CAs that they need to support rapid response to incidents reported to them, much greater automation and better support for short lived certificates,” Goulet says.

“With trends like DevOps and IoT meaning that enterprises need more certificates in faster timeframes than ever, this future-proofing needs to take the form of automation. By providing better automated services, CAs can remain competitive and meet the demands of rapidly moving DevOps teams.”

According to Goulet, there are three major market changes that will affect the interdependency between browsers and CAs, including:

  • Browser makers will take a more active role in policing CAs. Information security researcher Ian Carroll recently conducted an experiment that revealed just how easy it was for phishers to legally obtain Extended Validation certificates for malicious websites. Using this example many browsers are pointing out that CA issuance practices require additional oversight.
  • Web browsers will de-emphasise or remove certificate security warnings. Research has shown that certificate warnings rarely impact user behaviour, making the practice redundant.
  • CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change.

Goulet says there is going to be a lot of change over the next five years.

“CA’s are currently experiencing a number of pressures which are forcing them to change their business model. The increasing ability of browser companies to dictate terms, combined with the rise of free certificates and the increasing demand for faster certificates thanks to DevOps and IoT, means CAs need to change their practices quickly in order to remain competitive,” Goulet says.

“This will likely happen in a number of different ways, including increased automation and the development of new product offerings like cloud security and managed private PKIs. Beyond that, we could also start to see the rise of niche CAs, based on things like language – particularly in Europe as GDPR comes in to force and firms look to avoid falling foul of regulation.”

Story image
IT professionals destroying end-of-life hardware over fears of data breaches - report
IT directors are destroying end of life tech hardware as opposed to erasing its data out of fear of making a mistake and facing data breaches.More
Story image
Users pay with personal data - Kaspersky on WhatsApp move to share data with Facebook
"Nothing is truly free, and, unfortunately, the current business model for free services means that, essentially, we pay with our data."More
Story image
Microsoft top targeted brand by cyber criminals in Q4 2020
In Q4, 43% of all brand phishing attempts related to Microsoft (up from 19% in Q3), as threat actors continued to try to capitalise on people working remotely during the COVID-19 pandemic’s second wave. More
Story image
Arlo's latest Ultra security cameras now available in NZ
The Ultra 2 Wire-Free Spotlight Camera System is equipped with 4K video and HDR image recording, auto-zoom and tracking, and much more.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More
Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More