In 2016 the developers who created the world’s most popular web browser, Google Chrome, began taking steps to ensure the security of its users by encouraging websites and companies to switch to HTTPS.
However millions of websites could potentially find that SSL certificates that were issued by Symantec and other affiliated resellers could be deemed worthless as far as Google Chrome is concerned. This has come after a member of the Chrome team published a proposal, which suggested they would make them un-trusted within the next 12-months.
According to the Google Chrome team, the reasoning behind the decision is that over the years Symantec has not properly validated thousands of certificates which they have issued. The Chrome team added that they estimate that over 30,000 certificates have been mis-issued over several years, after initially reporting 127 certificates as mis-issued.
Ryan Sleevi, the member of the Google Chrome team who put together the proposal, expanded on this issue by saying:
“This is also coupled with a series of failures following the previous set of mis-issued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.”
Chrome creates a potential nightmare scenario for thousands of websites
Symantec is estimated to have issued over a third of the SSL certificates on the web, making them the largest Certificate Authority in the world.
So the Google Chrome proposal could have a huge impact on Symantec and the customers it serves. There could be a scenario where Symantec have to reissue millions of certificates, which could cause chaos for customers who would have to go through the validation and installation process all over again.
A further headache in the Google Chrome proposal would see the status indicators for Extended Validation certificates issued by Symantec, removed with immediate effect by Chrome.
The certificates require companies to provide further evidence and verification from companies to prove their identity. They are often used by companies who handle payments and transactions, which need HTTPS.
Extended Validation certificated are much more costly, but this is because most browsers display icons and indicators for the sites which use them. The removal of these certificates could harm the companies that rely on them as a sign of trust to customers and other users.
Symantec has disputed the claims made by Chrome about the certificates which were mis-issued. They have called the proposal put together by the Chrome team “irresponsible” and also said the allegations levelled against the company are “misleading and exaggerated”.
While both Google Chrome and the Symantec company are working to bring a resolution that will satisfy all parties, any company which has been issued a certificate should monitor this situation with great interest.