[Symantec official response updated on April 9, December 15] Google announced that a full range of products no longer trust a root certificate from Symantec
Symantec's official response was updated on April 9, December 15.
Symantec contacted FreeBuf, saying that "Class 3 Public Primary CA" is only a test certificate and is revoked only once a test day. In March September this year, Symantec's low-end certificate brand Thawte (Symantec digital certificate has three brands: Symantec (formerly VeriSign) GeoTrust Thawte) issued a Google certificate for testing, it only takes one day for the test to be revoked. It is from the Root of Thawte. Almost all cas around the world send internal certificates for testing, and none of them attack Symantec because of this.
Symantec has also performed internal Emergency Handling (as described at the end of the news: Google and Symantec have discussed this issue, and the other party confirms that the certificate was issued during the internal test process and is only valid for one day, it has not been leaked and has not affected users. Symantec subsequently said it had fired the relevant employee and conducted an internal review)
Google announced that in the next few weeks, Google will set the "Class 3 Public Primary CA" root certificate issued by Symantec as untrusted in Chrome, Android, and other Google products.
In the next few weeks, Google will set the root certificate "Class 3 Public Primary CA" issued by Symantec to untrusted in all Chrome, Android, and Google products. We did this in response to Symantec's notice that Symantec had decided that the root certificate would no longer comply with the benchmark requirements of the CA/browser Forum since January 1, December 1, 2015. As these benchmark requirements reflect the best solution in the industry and the basis for credibility of certificates, rejecting these requirements poses a huge risk to Google product users.
Symantec has told us that they will not use this certificate for other purposes. However, since this root certificate does not comply with the baseline requirements of the CA/browser Forum, google cannot guarantee that this root certificate or other certificates issued by this root certificate will not be used to intercept, interfere with, or forge encrypted communications between users. Symantec declined to describe the new uses of these certificates and was aware of the risks to Google users, and they have requested Google to take preventive measures to remove the root certificate. This measure is necessary because the root certificate is trustworthy in Android, Windows, and OS X systems earlier than version 10.11.
Symantec said they do not think that customers running secure websites will be affected, Symantec also said that as far as they know, customers accessing websites using Symantec certificates will not be affected. Users who encounter problems can contact Symantec technical support.
More technical information about the root certificate:
Friendly Name: Class 3 Public Primary Certification AuthoritySubject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification AuthorityPublic Key Hash (SHA-1): E2:7F:7B:D8:77:D5:DF:9E:0A:3F:9E:B4:CB:0E:2E:A9:EF:DB:69:77Public Key Hash (SHA-256):B1:12:41:42:A5:A1:A5:A2:88:19:C7:35:34:0E:FF:8C:9E:2F:81:68:FE:E3:BA:18:7F:25:3B:C1:A3:92:D7:E2 MD2 VersionFingerprint (SHA-1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2Fingerprint (SHA-256): E7:68:56:34:EF:AC:F6:9A:CE:93:9A:6B:25:5B:7B:4F:AB:EF:42:93:5B:50:A2:65:AC:B5:CB:60:27:E4:4E:70 SHA1 VersionFingerprint (SHA-1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6BFingerprint (SHA-256): A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05
False certificate
On April 9, October this year, Symantec's Thawte CA issued a pre-Extended Validation certificate (Extended Validation pre-certificate) to the google.com and www.google.com domains without the knowledge of Google ). Google found this problem from the certificate transparency log automatically forwarded by Chrome. Google and Symantec discussed this issue. The other party confirmed that the certificate was issued during the internal test process and was valid for only one day. The certificate was not disclosed and did not affect the user. Symantec subsequently said it had fired the relevant employees and conducted an internal review, finding that its employees had also issued test certificates for 23 domain names, including Google and Opera.
On July 6, April this year, Google and Firefox both announced that they no longer trust the CNNIC digital certificate because the Egyptian MCS Holding company issued a fake certificate for multiple Google domains using the intermediate certificate issued by CNNIC.