Google Has Enough of Symantec's Dodgy SSL Certificates,Bans Them from Chrome, Android

[JMH]

Google has made good on its promise and banned root certificates issued by Symantec. The ban applies to Google Chrome, Android, and several other Google products.

The search giant has had a bone to pick with Symantec since late September, when Google discovered 23 certificates issued in its name by one of Symantec's subsidiaries.

Symantec tried to explain itself by saying the certificates were issued for internal tests and got leaked under unknown circumstances by three employees, whom the company eventually fired.

The incident escalated towards the end of October, when Google discovered 164 other Symantec certificates issued for 76 other domains, along with a huge batch of 2,458 certificates for yet unregistered domains. Google published a statement on its blog, the equivalent of a last warning.

It appears that now Google has decided to act on Symantec's arrogance/indifference and has outright banned the Class 3 Public Primary CA root certificate operated by Symantec.

Google Has Enough of Symantec's Dodgy SSL Certificates, Bans Them from Chrome, Android

 

[Digerati]

This goes above what was reported above.

If I understand all this correctly, on Dec 1, 2015, Symantec announced they will not comply with industry standards for many of the certificates they have issued (apparently, those contested by Google and verified by Symantec). It appears rather than recalling and correcting those contested certs, they are just letting the browser makers deal with them, stating,

Browsers may remove TLS/SSL support for certificates issued from these roots. Visitors using these browsers will receive error messages if a TLS/SSL certificate is used that chains to these roots. It is important to replace such a certificate with one that chains up to a more modern root. Symantec offers free replacements in each of our certificate management consoles.

To me, that is saying Symantec is fully aware of the issue but does not care! Or as that Softpedia article puts it, Symantec is being arrogant and indifferent. Symantec is letting the browsers identify the non-compliant certs and putting the onus on the site administrators to take the necessary actions to make it right.

In the meantime, the customers/consumers/users of any affected site is left in the lurch as the browser, unable to trust the non-compliant Symantec issued cert, is forced to block access to it.

For that reason, Google announced proactive measures to "distrust" those affected sites, beginning immediately (as of Dec 11).

Personally, I vote to ban/boycott ALL Symantec products until they decide the right thing to do is to comply with industry standards - instead of this current track of doing it their way, see if anybody notices, and if they do, let their clients/customers deal with it. Shame on you Symantec!