Google has discontinued trust in a Symantec root certificate for both Chrome and Android.
As of this month, Google has flagged a Symantec root certificate as not meeting up to best practices and industry standards, and has therefore removed trust for the certificate. The Certificate Authority and Browser Forum sets certain standards for security, which Google states Symantec's Public Primary Certificate Authority G1 does not meet. "As these requirements reflect industry best practice and are the foundation for publicly-trusted certifies," explained Ryan Sleevi, a software engineer at Google, "the failure to comply with these represents an unacceptable risk to users of Google products." However, Symantec has volleyed back somewhat in surprise to Google's response, explaining that the root certificate was planned for discontinuation from 2014, and is primarily now used for legacy support.
"By announcing that they will be blocking this root certificate," Symantec returned, "Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014." Google and Symantec have a history with the security status of certificates, and both sides are treading carefully. Meanwhile, Google is maintaining focus on preventing security breaches on its own turf. "Google is no longer able to ensure that the root certificate... will not be used to intercept, disrupt, or impersonate the secure communication of Google's products or users," added Sleevi. This year, Google has removed recognition for other certificates as well, in the name of maintaining a safe and prevention-focused security environment.
Photo: © iStock.