Until recently, the ongoing battle between Google and Symantec about SSL certificates might be seen as a driver of positive change by causing Symantec and other SSL companies to evaluate and improve products and practices for their clients.
Google’s recent proposal, however, may be a step too far. The plan of action suggested by Google could cause widespread negative consequences for innocent business owners and Chrome users around the globe.
Fortunately, Symantec has responded with a counter proposal that they feel will be less costly and damaging to sites using their SSL certificates, while still addressing the problems that have been brought to light.
Google’s Proposal Would Discredit and Invalidate Symantec SSL Certificates
Recently, Google decided to bring their lengthy feud with Symantec to a head by issuing a proposal intended to deprecate Symantec SSL certificates across the internet. The costly consequences of such actions would be far reaching. The problem is not the harm to Symantec itself, but to the millions of websites using Symantec security measures.
If proposal put into effect, this proposal will reduce the period of validity for certificates that were recently issued by Symantec to nine months or fewer. It would also require current trusted certificates to be revalidated and replaced, and remove the Extended Validation (EV) status of certificates issued by Symantec for at least a year.
What does this mean for affected customers? These are some of the most common issues that will be experienced:
- Certificates must be re-issued and reinstalled, costing time and money
- Money paid for more than nine months of certificate validity will be lost
- EV customers will need to find and pay for a whole new Certificate Authority
Symantec is an industry standard used by countless business owners to secure their sites. In fact, a recent survey conducted by Netcraft found that almost 45% of the EV SSL certificate market belongs to Symantec. If nearly half of all secure websites are using these products, then how many site owners will incur these costs or lose their trusted status?
Google’s intent may be to punish Symantec, but Symantec won’t be the only party receiving punishment. The other people who will bear the brunt of this harsh proposal will be the innocent business owners who use Symantec SSL certificates for their websites.
Symantec’s Proposal Will Protect Sites with SSL Certificates
Symantec doesn’t question the fact that there are problems that need to be addressed. However, they do feel that Google is overreacting to the situation and inflicting unmerited punishment on sites with Symantec SSL certificates.
Each time a problem has been discovered, Symantec has reacted swiftly to investigate the issue and make changes to mitigate any damage that might result. Their goal is to work with their customers and the internet security community as a whole to come up with solutions that have the most positive outcome for everyone involved.
It is with this goal in mind that Symantec produced a counter proposal to remove the punishment of innocent parties while still addressing important quality and security concerns. They have observed public commentary on the problems and combined their findings with feedback gleaned from their enterprise customers to come up with a solution that should answer Google’s concerns without disrupting business for their customers.
The main action in this proposal is to hire a third party auditor to investigate minutely into their active EV SSL certificates, along with the active certificates issued by their past and present RA partners. They also intend to conduct WebTrust audits on a quarterly basis until they receive four consecutive audits without qualification. In order to facilitate transparency during these audits, Symantec proposes to publish quarterly letters updating the public on the findings produced by the audits.
Symantec also intends to perform domain revalidation of all the certificates they have issued with validity periods longer than nine months at no cost to their customers. Each proposed action in their plan is intended to make all findings as visible as possible and to make any necessary changes for customers as affordable and painless as possible.
Site Owners Using Symantec SSL Certificates Should Monitor Developments
The proposals by Google and Symantec for SSL certificates are both new, and neither one has been put into effect as of yet. It’s possible that Google will accept Symantec’s proposal in place of their own, which would remove the danger facing sites with current SSL certificates through Symantec.
However, Google should go forward with the proposal they produced in March, site owners will have numerous challenges to face in order to maintain their trusted status. For now, the only thing to be done is to keep a close watch on developments as they arise, and hope that Google and Symantec can come to an agreement that is fair to all.