Google and Symantec are engaged in a war about each other’s security practices, with all of us caught in the crossfire. As TechCrunch reports, Google believes that Symantec has been improperly issuing security certificates for tens of thousands of websites. If the search engine follows through with its threat, then Chrome will soon no longer place the same level of trust in Symantec’s certificates.
Put simply, a security certificate is like a hall pass, letting you roam the corridors of your high school for bathroom breaks and nurse visits. Google says that it’s a diligent teacher who makes sure it only hands out paperwork to the honest and the deserving. But it thinks that Symantec has just left a stack of notes by the door, letting any student use them while it grabs a nap behind its desk.
In a post over on Google Groups, Ryan Sleevi says that the search engine has been investigating “a series of failures,” by Symantec. By downgrading Chrome’s level of trust in Symantec’s certificates, the browser will effectively force the security company to re-issue newer certificates, faster. Otherwise, you’ll not be able to visit websites with old, untrustworthy documentation without Chrome giving you plenty of warnings.
Google hopes that the move will force Symantec’s researchers to do a better job of keeping its house in order. But this fight isn’t a new one, and the two companies have a history of dust-ups, including Google calling out holes in Symantec’s antivirus products that made them more open to attack. That was in retaliation to Symantec using fake security certificates to access Google-owned domains.
Symantec’s response can be paraphrased down to gee man, don’t be a narc, dude, saying that 127 improperly issued certificates caused “no consumer harm.” In addition, it says that Google has turned a blind eye to other companies’s failed practices to target Symantec. This fight is likely to persist with passive-aggressive sniping and other arguments, at least until everyone sits down over a table and makes up.