Symantec and Google avert SSL meltdown

Google shook up the SSL industry back in March of this year when they released a proposal addressing “a series of failures by Symantec Corporation to properly validate certificates.” The outlined restrictions would effectively withdraw the Chrome browser’s trust in all certificates issued by Symantec. They notably included the removal of the green browser address bar, the primary visual indicator of Symantec-issued Extended Validation (EV) certificates.

Though aimed at developers, the announcement sent waves of concern and uncertainty through the entire SSL industry and beyond. Symantec’s initial response defended their validation processes. However, details surrounding the alleged mis-issuance of thousands of certificates had already been released. It appeared that in the end, certificate holders were likely to suffer from the results of this power struggle.

Since then, what was initially an explosive public debate has turned into a nuanced and constructive conversation, wherein both major players have taken on a more diplomatic stance. Both parties now seem committed to finding a way forward that will minimize the impact on Symantec customers and their end-users.

Two months following the release of the initial proposal, Google and Symantec, with input from the rest of the Internet community, seem to have arrived at a common solution. On May 19, 2017, Google proposed an updated plan that would require Symantec to implement some significant changes to the way they operate their Certificate Authority (CA). In return, Google would continue to support Symantec certificates in their Chrome browser.

Symantec responded to the new proposal last week, and while a few details still need to be ironed out, there appears to be general agreement on how to move forward. The good news is that most of the heavy lifting will fall to Symantec and, to some extent, the browser developers, instead of the certificate holders.

Here’s what we can expect to see if this updated proposal is enacted:

  • Symantec would essentially rebuild its internal infrastructure from scratch over the next two years to create a new platform for certificate validation and issuance.
  • Until their modernized internal platform is ready, and its associated root keys are accepted across all major browsers, Symantec would work with 3rd-party CAs to perform the validation process. It’s important to note that the root keys tied to the previous platform would remain in place, allowing browsers to easily determine whether a certificate was issued from the old or new platform.
  • Partnering with trusted sub-CAs would allow Symantec to continue to issue Extended Validation (EV) certificates, and enable Chrome and other browsers to maintain trust for EV certificates and continue to display the green address bar.
  • Newly-issued certificates would be valid for longer than the 9-month period originally suggested by Google, though the exact length of the validation period is still being discussed.
  • Existing certificates, issued prior to June 1, 2016, might be gradually phased out and may eventually require revalidation. It is unclear at this time, however, if this requirement is feasible, given the vast number of certificates that would need to go through the revalidation process.

There’s still plenty of discussion about the details, but the nature of the conversation suggests that a solution, one which averts a major SSL meltdown, will be reached sooner rather than later. We’ll keep you updated as the fine points are finalized. The good news is that at present, there’s reason to remain confident in your existing SSL lineup and selling practices.