The Website Security Debate You Should Keep an Eye On
A conflict between two major Silicon Valley firms could shake up the way that you secure your website. Here's what you should know about the debate over security certificates.
If you’re running your website on a secure domain, there’s a debate brewing in the tech sector that you may want to be privy to.
In short, it’s rooted in a squabble between two of the world’s largest technology companies, Google and the security firm Symantec, which is best known for its antivirus software. Another service it offers is security certificates for many websites, which create a method of verification for https connections, often used on websites that involve some sort of transaction.
While Symantec has around 30 percent of the market share for the internet’s security certificates, Google has raised concerns that the firm isn’t doing enough to confirm the recipients of its certificates are legitimate. In an investigation, the maker of the Chrome browser warned that it didn’t like what it saw.
“Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates,” Google employee Ryan Sleevi explained in a forum post. “Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.”
Google has called on Symantec to reissue all of its certificates—an undertaking that would take a significant amount of time.
Symantec has called the allegations against it exaggerated and maintains that the unverified count was just 127. However, Google’s concerns are serious enough that Symantec is working to right itself in the eyes of the search giant. In a blog post last month, Symantec laid out a proposal going forward that includes a significant number of steps it promised to take to improve the authority of its certificates.
“Even though our past misissuance events have not, to our knowledge, resulted in customer harm, we consider compliance with industry standards a critical responsibility of our [Certificate Authority] business,” the company wrote. “We believe our multifaceted proposal addresses the concerns regarding the trustworthiness of Symantec’s past and future SSL/TLS certificate issuances.”
It’s possible Google may not accept the proposal, forcing millions of security certificates to be reissued, a potential disruption for numerous firms. Additionally, the issue could get further complicated in the coming months as Google implements a new compliance plan called “Certificate Transparency,” which it plans to put into effect by October, according to Slate.
The in-depth Slate report notes other concerns around certificates are cropping up, including Google’s own move into the business, which represents the first time that a browser developer has issued its own browser security certificates.
Whatever the case, the CA Security Council, the industry group that represents Symantec and other security companies, notes that issues involving the security certificates are rare.
“I think the industry has really proven itself over and over again,” CA Security Council Vice President Jeremy Rowley, the executive vice president of DigiCert, told Slate.
These security certificates may represent a small part of the browsing experience, but the debate could have a pretty far-reaching impact.