Google dumps Symantec SSL certificate in Chrome, Android

Google has decided to cull a Symantec root certificate used to secure internet communications, the company revealed.

Starting 2 December Australian time, Symantec's Class 3 Public Primary Certificate Authority (CA) root certifcate is no longer trusted by Google in its Chrome web browser, Android mobile operating system and other products.

Google software engineer Ryan Sleevi explained over the weekend Symantec intended to use the root certificate for reasons other than creating publicly trusted credentials. The certificate also no longer complies with the industry Certificate Authority/Browser Forum baseline requirements for best practice, Symantec said.

As a result of the above, Sleevi said "Google is no longer able to ensure that the root certificate, or certificates issued from this root certificate, will not be used to intercept, distrupt, or impersonate the secure communications of Google's products or users".

Symantec would not reveal the other uses for the root certificate. According to Sleevi, Symantec said it is aware of the risk to Google users and requested the online giant takes preventative action and remove and distrust the root certificate.

The Symantec Class 3 Public Primary CA root certiicate is widely trusted not just by Google products, but also by Microsoft's Windows operating system. Apple OS X versions before 10.11 also trusted the Symantec certificate.

Sleevi said that Symantec's failure to comply with the CA/browser forum requirements for publicly trusted certificates represented "an unacceptable risk to users of Google products".

In October this year, Google demanded that Symantec undergo audits to ensure the company follows best industry practices and is fit to run a certificate authority.

Earlier this year, Symantec fired an unknown number of employees for wrongly issuing a large number of fake digital certificates which could be used to authenticate and impersonate Google and other internet domains.

Update: Symantec told iTnews the certificate removal had been initiated by itself, not Google.

“In keeping with industry standards and best practices, Symantec notified major browsers in November, including Google, that they should remove or untrust a legacy root certificate from their lists called the VeriSign Class 3 Public Primary Certification Authority G1 (PCA3-G1),” a spokesperson for the security vendor said.

"We advised this action because this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications. 

"By announcing that they will be blocking this root certificate, Google has indicated that they intend to do exactly as we requested, a step that other browsers started taking in 2014,” the spokesperson said.

Update II: The first paragraph of the story has been amended to better reflect that Google will only distrust one Symantec root certificate.