Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having by many measurements the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials.
The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized transport layer security certificates. The misissued certificates made it possible for the holders to impersonate HTTPS-protected Google webpages.
Symantec first said it improperly issued 23 test certificates for domains owned by Google, browser maker Opera, and three other unidentified organizations without the domain owners’ knowledge. A few weeks later, after Google disputed the low number, Symantec revised that figure upward, saying it found an additional 164 certificates for 76 domains and 2,458 certificates for domains that had never been registered. The misissued certificates represented a critical threat to virtually the entire Internet population because they made it possible to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.