Tech

Symantec's Security Flub Has Google Playing Hardball

Symantec issued security certificates to the wrong entities, so Google is cracking down because that error might mean trusted sites aren't so secure.

Symantec's Security Flub Has Google Playing Hardball
Getty Images / Justin Sullivan, Edward Boatman / CC BY 3.0
SMS

Google is throwing its weight around: not with search results or cloud storage but on the matter of TLS certificates.

TLS certificates verify that website owners are who they say they are, and that secure connections are truly secure. The certificates come from trusted third parties called Certificate Authorities, or CAs.

So it's important to know you can trust your CA to issue accurate certificates. Without that, you can't trust your Web data will be properly encrypted.

The biggest CA is Symantec, and Google found it's been sending security certificates — including some Google ones — to the wrong owners.

So now Google will require Symantec's certificates meet stringent security policies or risk security errors and warnings when used with Google products. Symantec has until June 2016 to comply. (Video via Google)

Google says, "After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products."

There's nothing stopping Google from a "my way or the highway" crackdown. If Symantec wants access to Chrome's market — the largest around, by the W3Schools browser numbers — Google can make it play by its rules. (Video via Google)

And it's not like anyone is going to complain. More than anything, a hard-line stance holds CAs more accountable. Sometimes they need that — you might remember the DigiNotar breach in 2011.

Mozilla, for example, has played tough with CAs in the past and might join Google's side in the current showdown. (Video via Mozilla)

Symantec, for its part, says it fired the employees responsible for the wrongly issued certificates and plans to adopt a certificate transparency policy for all its certificates. It hasn't discussed an exact timeline. (Video via Symantec)

This video includes images from Getty Images, Edward Boatman / CC BY 3.0 and LPS.1 / CC0 and music from "sombre, green" by Birocratic / CC BY ND 3.0.