03:00 PM
Mike Baukes
Mike Baukes
Connect Directly
E-Mail vvv

Google Won't Trust Symantec and Neither Should You

As bad as this controversy is for Symantec, the real damage will befall the company and individual web sites deemed untrustworthy by a Chrome browser on the basis of a rejected Symantec certificate.

News that Google may be imposing a series of restrictions in Chrome against digital certificates issued by Symantec is but the latest and most remarkable salvo in a dispute that stretches back years. Google is leveraging its prominence to force companies to confront their cyber risk - a vital advance in fostering proactive digital resilience. How Symantec responds will have relevance far beyond any one corporate conflict.

Claiming Symantec was far too lax and borderline negligent in issuing its certificates, Google recently announced a proposal to gradually reject them, as well as any authorities tied to the Symantec root certificates. Any certificate authorities that derive their key chain from Symantec’s root will also face the same restrictions; some major names fall into this category, such as VeriSign and Thawte.

Despite the nonchalance of Symantec’s response, this is a potentially monumental step taken by Google. Browsers gatekeep the Internet to some degree: Chrome, Firefox, Safari, Edge/Explorer; Google, Mozilla, Apple, Microsoft. These are the applications and companies that determine how people interface with the Internet. Furthermore, they determine when a security problem takes on enough risk to be unilaterally rejected in the interest of their users. We’ve seen this before with encryption strength, cipher suites, even plugins like Flash and Java. These four companies hold the keys, as it were, for big picture technological evolution-- and the future of technology is resilience.

With this proposal, Google thus sets up the first real roadblock for Symantec’s business model. Google Chrome has about 60% of the browser market share. When Google drops support for an application or certificate for security purposes, it affects the browsing habits of the majority of Internet users. Symantec certificates, and those from its subsidiaries, will have demonstrably less value in Chrome once these restrictions start being enforced. This acute depreciation in the usefulness of a Symantec certificate, should, and probably will, cause en masse replacement with less problematic certificates. As the sole purpose of a certificate is to provide a trusted source verifying that the site is valid, secure, and private, such a public rebuke of Symantec’s integrity could be a crushing blow.

Insecure practices such as the certificate problems Symantec had are not just academic examples of bad technology, but possibilities for real world damage. It should be apparent now that the digital economy is the economy. There is no retrograde motion left to us as a society when it comes technology and its integration into daily life. As such, only resilient digital services can survive. Those which impose too much risk or cannot weather the attacks, outages, breaches, and problems of the digital landscape will lose the trust of the people, and of the other companies who rely upon those services to function.

Doing the Right Thing
Wouldn’t Symantec want to issue certificates in the most secure way possible - not merely to avoid Google’s wrath, but to do right by the enterprise customers who purchase their certificates? It seems not. Imagine the administrative overhead, cost, and time it would take for Symantec to change a system which, according to Google, has been broken for years. With no apparent pressing need to break from standard operating procedure, Symantec has not made those changes, even after earning nasty press about how shoddy their issuance practices really are.

This begs the question: How does enterprise technology evolve from here, without the prodding of a tech conglomerate? In a digital ecosystem of interdependent parts, large scale changes are slow and usually painful, as different parts change and grow at different speeds, leaving others behind to catch up or fade away. Google’s decision to restrict certificates issued by Symantec and its subsidiaries acts as a catalyst for this evolution, because Google is directly impacting Symantec’s business as a certificate authority by imposing security measures that their certificate process does not meet.

Businesses who rely on websites to drive revenue will not want to worry about whether their Symantec-issued certificate will cause problems for some 60% of their visitors. There are reasonably priced alternatives readily available, issued by firms able to provide an actual trustworthy certificate to their customers. These business decisions will ultimately affect Symantec’s bottom line, perhaps providing an impetus for them to take seriously the security problems they have brushed off for years.

As bad as this is for Symantec, the real problems will affect those companies and individuals relying on the company’s certificates. Google’s rebuke will repel potential visitors who use the Chrome browser from visiting sites using Symantec certificates, while also calling the businesses’ reputations into question, as Chrome identifies them as untrustworthy sites. This is an unfortunate result for those trying to avoid this very fate by buying certificates from Symantec in the first place.

Imagine this very plausible scenario: your company uses Chrome and relies on a web application hosted on a server using a Symantec certificate to conduct business.  Chrome stops trusting that server, such that in the blink of an eye, none of your co-workers can access the website without jumping through some serious hoops. Some percentage of Chrome users will likely alter their browsing habits, and some percentage of websites will likely trade out their Symantec certificates for another brand.

In the bigger picture, we should expect to see more private-sector driven enforcement of security practices. The public interest lies in every component of our digital environment being as resilient as possible, so that we can all use services without taking on an undue amount of risk. But when a private company has no profit motive to reduce their cyber risk, and instead chooses to knowingly continue bad practices, how can this public good be achieved? In order for real digital resilience to be kindled and spread, companies will need to become proactive - not wait for the death knell of a war with Google to begin changing their ways.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:


Mike Baukes is co-founder and co-CEO of UpGuard, a cyber resilience company based in Mountain View, California. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/22/2017 | 12:24:24 PM
Re: SSL Certificate
Thats an extremely good question. You are giving people security advice but you leaving all of your members open to several liabilities by not having an SSL certificate? Should we take you serious if you dont take our information serious? 

User Rank: Apprentice
4/21/2017 | 9:35:25 AM
SSL Certificate
I found this post to be super valuable. However, when is your website going to upgrade to using an SSL certificate (not issued by Symmantec obviously) to better protect your readers?
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
AI in Cybersecurity: Where We Stand & Where We Need to Go
Raffael Marty, VP Security Analytics, Sophos,  1/11/2018
What Can We Learn from Counterterrorism and National Security Efforts?
Adi Dar, Chief Executive Officer of Cyberbit,  1/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.