Google, Symantec Battling Over Internet Encryption

Google is picking up its fight with Symantec, saying last week that it is reducing the level and length of trust Chrome will give Symantec-issued certificates.

According to a report in TechCrunch, Google contends Symantec hasn’t been taking its role seriously and has released 30,000 or more certificates in which the security software company didn’t verify the websites received the certificates. The report noted the allegation against Symantec is serious and undermines the trust users place in the encrypted web.

Google also said it’s in the process of distrusting Symantec certificates in Google’s Chrome browser. Symantec called Google’s allegations “irresponsible” and “exaggerated and misleading,” noted the report.

“Since Jan. 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years,” Google Software Engineer Ryan Sleevi wrote in a forum post outlining the case against Symantec.

“This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, causing us to no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years,” he wrote.

To fix the situation, the Google executive said Chrome will scale back the length of time its Chrome browser trusts certificates issued by Symantec, and over time websites will have to replace their old Symantec certificates with newer ones that are more trustworthy, noted the report. Sleevi noted Symantec hasn’t met the minimum requirements for issuing certificates and puts Chrome users at risk.