Google has reportedly lost faith in the biggest website certificate providers, Symantec. Now, it is thinking about imposing a strict punishment for improper SSL certificates. Google plans to force Symantec to not recognize the extended validation status for the websites that have inappropriate SSL certificates.
Google's decision to "distrust" Symantec is viewed as a significant move, as the latter is responsible for around one third SSL certificates around the web. According to a 2015 Netcraft survey, almost one in every three certificates around the world wide web is issued by the company. It has acquired certificate authorities like RapidSSL, Thawte, GeoTrust and VeriSign over the years to make it more exclusive.
Google engineer Ryan Sleevi write in a blog earlier that Symantec's certification process has been under investigation since January 19. Symantec's explanation apparently reveals there is a chance of "mis-issuance." Sleevi said Google has lost confidence in Symantec's certificate issuance practices and policies.
Google has proposed a number of steps to Symantec to restore its confidence in the company again. Google wants Symantec to reduce the validity period of new certificates to nine months or less. All certificates issued by the company must be "revalidated and replaced." The Extended Validation status must be removed for at least one year until the community has confidence in Symantec's practice and policies.
SSL/TLS certificates play a major role in building the connection between HTTPS-enabled sites and browsers. The certificates also verify that users are visiting an authentic site and not a spoofed version. Companies like Symantec issue such certificates, which are trusted by operating systems and browsers.
After Google's warning to Symantec, Mozilla says it is thinking about distrusting its certificates as well. "Now that Google have announced their action, it is unavoidable to note that it can be preferable for two root stores considering action against a CA to take broadly parallel approaches, so that the CA is not doubly penalized for the same actions," PC World quoted Mozilla's Gervase Markham as writing.