It’s rare Google outright goes to war on a company. Especially not a company as big and well-known as Symantec. But Google has done precisely that, in a move that’s surprised the IT community and is about to make life miserable for a fair chunk of the internet.
Google has publicly said it no longer trusts the cryptographic certificates Symantec issues and that Chrome will view them as “harmful.” Think of a “cryptographic certificate” as the digital equivalent of getting carded at a bar. You encrypt whatever you’re sending at your computer, and then use the certificate to encrypt it again. In order to read it, whoever you’re sending it to needs both your private key, and the certificate they used. So if, say, a hacker has inserted himself between you and your bank’s website, he may have your private key, but once he’s asked for the certificate, he’s boned.
This isn’t a minor issue; if the companies issuing these certificates get sloppy, there are enormous consequences. One Dutch company shut down after it came out it was issuing certificates to Iranian spies. And this has been an issue with Symantec since 2015 — so the fact they haven’t bothered to clean up their act in two years, with millions of dollars at stake, is troubling. Google claims Symantec has issued 30,000 bad certificates.
The good news, if you run a website that issues these certificates, is that you can get new ones for free. But it’s unlikely most people will be aware of this problem, until it starts screwing up their sites.
(via Boing Boing)