Dec 18, 2015 4:32:22 PM
Broken Trust: Symantec's Untrusted Verisign Root CA

Left in the Dark: When the Sun Sets Too Early

The Internet security landscape is constantly changing.  Data drives the decisions that organizations make about their security posture; when that data is incomplete, forecasting the consequences of security changes becomes nearly impossible.  Earlier this month, at the prompting of Symantec Corporation, Google has removed trust for a legacy Verisign CA root certificate from their products including the Android mobile operating system and Chrome web browser.

“But Michael, it’s a legacy CA... Isn’t this just part of the normal sun setting process for a public root certificate?”

Yes, this is an old CA.  The root certificate holds an RSA 1024-bit public key, and its signature hash uses the deprecated SHA1 hashing algorithm, it undoubtedly needs to be retired.  Symantec claims that they have not used this root to sign any new certificates in “several years.”  Numerous other vendors including Microsoft Corporation and Apple Inc. have already removed this root certificate from the trust stores of their respective operating systems and browsers.

Getting to the Root of the Problem

So why am I bothering to write about something as mundane as the retirement of a public root CA?  Think back to just a minute ago; do you remember me talking about data, decisions, and consequences?  Do you remember how I mentioned that security decisions driven by incomplete data can lead to misunderstanding and underestimating consequences?

As part of the SSL Certificate Monitoring Survey we continually monitor all of the SSL/TLS endpoints on the public Internet.  Amongst the millions of certificates active on the Internet are you willing to bet that Symantec knows about every single one that chains to their public roots?  Given their foibles over the past year regarding “fake” and “rogue” certificates issued from their public roots, do you trust them to know what certificates they’ve issued?

Legacy Root or not?

As of the December 1st, when the deprecation was executed in Google products, our research indicates that there were still 21,848 SSL/TLS endpoints live on the Internet serving up certificates that chain to this “legacy” root.  Manual inspection of a few of the affected endpoints led us to webservers for investment banks, online tax preparers, VPN edge devices, and e-commerce sites.  The data calls into question Symantec’s claim that they have not used this root to generate new certificates in “several years.”

Despite the bleak picture I painted above, I can say that in the days since we discovered these certificates, Symantec seems to be true to their word in making things right for affected customers.  All of the endpoints that were manually inspected have been assigned new certificates.  These new certificates chain to alternate G3 roots or newer, more secure G5 roots at Verisign.

Operating a public root CA on the Internet requires the operator to provide assurance that they can be trusted.  In recent history, Symantec and its various subsidiaries have made missteps:  losing track of issued certificates, issuing “fake” or “test” certificates from a public root, and deprecating a root stranding customers with end entity certificates that are no longer trusted.  Do these seem like the actions of an organization that you would want as a leader providing trusted identity on the Internet? 

Worldwide Internet certificate research

Check out the CSS website for data on the current Internet landscape of SSL/TLS, as well as a form to request your own custom report on the digital certificates we have observed monitoring SSL/TLS usage on the Internet: https://www.css-security.com/research/

For more information about the Certificate Monitoring Survey and the efforts of CSS Research, please contact us at research@css-security.com.

public ssl certificate report