Google software engineer, Ryan Sleevi, wrote a post on Google Groups describing the case against Symantec. There he explains how at least 30,000 certificates have not been correctly validated by the company and therefore Google engineers no longer have confidence in the policies and practices of Symantec.
A digital certificate is a way to authenticate a user’s identity to third parties and can also be used to encrypt communications or digitally sign. It is an electronic document that must be verified by a valid authority (CA), certification authority or certification body, such as Symantec.
In Christian, a certifier is like the identity office of your locality that is in charge of issuing a DNI that proves that you are who you say you are, the DNI is like the digital certificate. In the case of Internet connections, such as the secure HTTPS connection essential to access your bank account and be sure that the website you visit is actually your bank and not a third party that wants to steal, depends on which the browser relies on the digital connection certificate .
If the browser does not accept the validity of the digital certificate, you will receive a lot of security warnings, and for your safety you should not trust that connection, because it puts your data in danger. This is why Google’s allegations of Symantec are so serious. Symantec is one of the largest certifiers in the world, by 2015 30% of the website was validated by its certificates.
What Symantec says about it
Google claims that Symantec has issued at least 30,000 certificates without properly verifying the websites that received them, and will now begin the process of ceasing to rely on the certificates issued by the company in the Chrome browser.
In response to this, Symantec issued a statement accusing Google of being irresponsible. They say that the statements of the company are exaggerated, that it is not about 30,000 certificates but 127 and that they did not result in any harm to consumers. They also complain that although many other large certifiers have experienced this type of event, Google has dedicated itself to accusing them alone.
However, Google engineers say they have been investigating since January 19, and that the initial report of 127 certificates has expanded to include at least 30,000 over a period of several years. In addition to this, for Google the behavior of Symantec has failed to meet the basic requirements of a certifying authority , and that when they were presented with evidence of problems with their certificates they did not take the necessary steps or reveal the information at the appropriate time.
Meanwhile, Google will gradually stop trusting Symantec certificates . First they will reduce the validity period of the new certificates of the company to nine months or less, and later they will require that they be replaced with new certificates and that they be completely revalidated. Until the community is satisfied that Symantec’s policies and practices are appropriate, the validity recognition extended to certificates issued by the company will not be reinstated.