Well, I suppose that’s a tad hyperbolic. But Google has acted quite admirably over the last couple of months to ensure that the SSL certificates underpinning the secure web remain, well, secure. At the beginning of the year, for instance, Chrome and Firefox were the first browsers to stop accepting SSL certificates using SHA-1 hashes (you can read a bit more about that here). Before that, they fought Symantec to ensure that the certificate authority would publically detail all certificates it released after it incorrectly issued certificates to non-site owners.
And now, ArsTechnica is reporting, Google is reining in Symantec further — and will likely cause a number of Symantec customers to starting looking elsewhere. It’s a drastic move, but one necessitated by further irresponsibility: Google alleges that Symantec “improperly issued more than 30,000 certificates” over the course of a few years.
In the short term, the only change Google is making to Chrome is that HTTPS connections to large sites verified with Symantec will no longer show the corporation name next to the site address (such as how visiting Paypal shows “Paypal, Inc.” next to the site address). It was also start to refuse certificates issued by Symantec entirely, but to avoid disruption to “30 percent” of the Internet traffic verified through Symantec will do so gradually: first by only accepting newer than 33 months in Chrome 59, gradually lowering this to a mere 9 months in Chrome 64. The intention of this move is murky, but seems to indicate the Google is trying to gradually blacklist Symantec entirely, forcing customers wishing to use SSL/HTTPS to move to a different CA. In other words, Google is trying to force Symantec out of the certificate authority business entirely.