Google vs Symantec
Google and Symantec have been going back and forth in regards to the leak SSL certificates. Google discovered 23 certificates late September. Then in October, Google found another 164 certificates in 76 domains with another batch of 2,548 certificates issued for unregistered domains.
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.” Google said.
According to Symantec, certificates were for internal use and were leaked by 3 employees who were fired shortly after.
“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” said Ryan Sleevi, Google Software Engineer, today on the company’s Security blog. “As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.
No official statements have been released from Symantec, but Symantec told Google that these bans will not hinder their clients.