Wireless News
12-14-2015, 04:50 PM
http://l3.yimg.com/bt/api/res/1.2/zwHPUmJhHmOf13WsPWcu2A--/YXBwaWQ9eW5ld3NfbGVnbztmaT1maWxsO2g9ODY7cT03NTt3PT EzMA--/http://media.zenfs.com/en-US/homerun/digital_trends_973/a60daf87856c958c29b30039b8e9a6ed (http://news.yahoo.com/symantec-asks-google-remove-trust-201635882.html)Google has decided to “distrust” a Symantec root certificate that the security company says is no longer compliant with security standards. The cert could have potentially been used to intercept users’ web traffic. The move is the latest in a series of issues between Google and Symantec over trust for the latter’s digital certificates. In October, Google told the company that it must be more transparent over the issuing of TSL certificates for domain names. Over the weekend, Google software engineer Ryan Sleevi wrote that Google has decided to distrust Symantec’s “Class 3 Public Primary CA” root certificate, used in Google products like Chrome and Android. “Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements,” he said, explaining that the cert’s trust was cut off on December 1st. The Baseline Requirements are a set of criteria for best practices in the issuing of digital certificates for SSL/TLS servers. “As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products,” said Sleevi. Related: Google issues ultimatum to Symantec over unauthorized HTTPS certificates Use of the vulnerable certificate could allow a malicious actor to spoof a Google service and target users or intercept web traffic. Symantec requested that Google remove and distrust the root certificate once it became aware of the security risk it would pose to users on Chrome and Android. Website owners and-general users will not be affected, it added, as this is the usual procedure for dealing with legacy certs. Google will still continue with its plan to remove trust for Symantec certificates if they do not introduce more transparency in how they issue certs by June 1st 2016. The ultimatum came after the company issued several certificates-for domain names to people or organizations that did not own them. Symantec responded by firing an unspecified number of employees responsible for the error. Also watch: Asus ROG GX700 Hands On Please enable Javascript to watch this video
More... (http://news.yahoo.com/symantec-asks-google-remove-trust-201635882.html)
More... (http://news.yahoo.com/symantec-asks-google-remove-trust-201635882.html)