News Google is unhappy with Symantec over its SSL cert issual.

[Technoglitch]

"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."

If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.

Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn't happen again. Since this involves confidential information, Google won't be making that information public.

In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:

• WebTrust Principles and Criteria for Certification Authorities
• WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security [PDF]
• WebTrust Principles and Criteria for Certification Authorities – Extended Validation [PDF]

If Symantec bungles this second chance, come June 2016, Google Chrome and other Google apps will warn netizens not to trust any websites that use new Symantec-backed certificates.

This will encourage web developers to avoid using Symantec-issued SSL certs for their HTTPS-encrypted websites, and similar services, dealing a damaging blow to Symantec.

Fuming Google tears Symantec a new one over rogue SSL certs • The Register

 

[IndianMascot]

Oh wow. Someone can make Google do something. Else till now i have seen google forcing everyone to change

 

[Technoglitch]

The fault is of symatec, issued OK cert for some websites that are potentially dangerous.

 

[IndianMascot]

I may not call it their fault. Google is very rigid to declare any website dangerous. Don;t you remember they declared ours the same.

 

[Technoglitch]

Yes.I remember

 

[DashMajor]

Yes because Google set norms for the website

 

[Technoglitch]

Not long ago, Symantec revealed that it had issued bogus security certificates for numerous web domains, including Google's... and as you might guess, Google isn't happy. The search firm is warning Symantec that, as of June 1st, any Symantec certificates which don't meet its transparency policy may create warnings and "problems" in Google products (read: they'll bedeemed insecure). Moreover, it's asking Symantec to explain why it didn't catch some of the fake certificates, the causes behind each slip-up and the steps it'll take to set things right. Not surprisingly, Google doesn't want malicious sites posing as someone else (especially not Google) in order to deliver malware or perpetuate phishing scams.

For its part, Symantec claims that it issued a "small number" of test certificates by mistake, and revoked them before notifying those affected. It also fired a handful of staff who reportedly weren't following guidelines. There's a good chance this won't happen again. However, the antivirus maker also appears to be downplaying the scope of the problem. Google notes that it found dodgy certificates after the first time Symantec examined its behavior, and Symantec's second audit caught over 2,600 of them -- that doesn't sound small to us. While the two companies aren't bitter enemies, it could be a long while before they get back into each other's good books.
Google slaps Symantec for issuing fake web security certificates