Hell hath no fury like a search giant scorned. Google this week warned Symantec that, as of June 1, any certificates that don't meet transparency requirements will be deemed insecure.
The threat comes after Symantec revealed it had issued thousands of fraudulent security certificates for numerous domains, including Google.
Upon initial inspection in September, the software maker revealed that 23 SSL certificates—which allow secure connections from a Web server to a browser—were issued without the domain owner's knowledge.
With a few extra clicks, Google found several more questionable certificates. Then a month later, Symantec announced an additional 164 certificates over 76 sites, and 2,458 certificates issued for unregistered domains.
"It's obviously concerning that a CA [certificate authority] would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit," software engineer Ryan Sleevi wrote in a blog post.
Recommended by Our Editors
So Google issued an ultimatum: Starting next summer, all Symantec-issued certificates must support the Chromium Certificate Transparency policy, or else. In the short term, the Web titan requested an updated incident report, in which Symantec explains why it did not detect the additional certificates found so easily by Google. And, in true detention-hall style, Google also asked Symantec what it thinks caused each slip-up, and what the company will do to fix them.
Symantec did not immediately respond to a request for comment.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
