• Symantec CA Response to Google Proposal and Community Feedback

        Oct 20 2017, 8:54 PM

        by connect 1

        We take our role as a key player in the trust ecosystem of the Internet very seriously. We believe that secure and compliant issuance of SSL/TLS certificates is fundamental to the security of the Internet and that we have a responsibility to collaborate with our customers and the broader community to continuously improve industry standards, and specifically our practices, for certificate issuance.

        On March 23, Google posted a blog outlining a proposal to change how Symantec’s SSL/TLS certificates are recognized in Chrome. Their proposal stemmed from prior certificate mis-issuances that occurred in our Certificate Authority (CA) business, which we have taken extensive remediation measures to correct. We have carefully reviewed Google’s proposal and sought input from the broader browser and user community on this topic, which has informed our continuous improvement planning. This post outlines important measures that we propose to implement in our CA business. We believe our proposal addresses the concerns raised by Google about our CA business without imposing undue business disruption on our customers and Chrome users that we believe would result if Google implements its proposal.

        Feedback from our Enterprise Customers

        In addition to our review of public commentary on these issues, we have also sought input and feedback from Symantec customers on the compatibility and interoperability impact of the significant changes that could result from the implementation of Google’s proposal. These customers include many of the largest financial services, critical infrastructure, retail and healthcare organizations in the world, as well as many government agencies. This cohort is an important constituency that we believe has been under-represented to date in the public commentary that has been posted to the Google and Mozilla boards since large organizations rarely authorize employees to engage in such public discussions, particularly in an area related to security. We first solicited feedback to understand the disruption that a browser-initiated trust change, like the one proposed by Google, would cause organizations that opt to replace their existing SSL/TLS certificates in order to maintain interoperability with all browsers. We learned that these organizations’ publicly facing web applications, while extensive, only represent a fraction of their dependency on publicly trusted Symantec roots. Many large organizations have complex, and potentially undocumented and little-known dependencies on their certificate infrastructure. Examples of complex dependencies on Symantec public roots that our customers have shared or we have identified include:

        • Embedded devices that are pinned to certificates issued by a Symantec public root to communicate to resources over the Internet or Intranet. Replacing these certificates would result in immediate failures and the need to recode and reimage the firmware for these devices.

        • Mobile applications that have pinned certificates. Replacing server certificates would require these applications to be recoded, recompiled and redistributed.

        • Critical infrastructure organizations that use certificates issued off of Symantec roots to validate internal and external resources. In many cases, the applications being used are pinned to Symantec certificates.

        • Some large organizations use certificates chained to Symantec public roots for nearly all internal applications and communications. Many of these organizations are under regulatory requirements to encrypt even internal communications.

        Additionally, many of these organizations estimate that just the planning process to prepare to move to a new certificate authority could take many months and in some cases years because of unknown and undocumented dependencies. Moreover, few large enterprises that we’ve received feedback from have implemented the level of certificate lifecycle automation required to enable safe and cost-effective adoption of shorter validity certificates. We believe that it is important for the broader community to understand and give more weight to these compatibility and interoperability risks, particularly given the fact that many of these organizations are prohibited from commenting publicly on these topics.

        To give a perspective of scale, Symantec secures more than 80% of the world’s ecommerce transactions through its certificate infrastructure. Additionally, Symantec is the world’s largest provider of Organization Validation (OV) and Extended Validation (EV) certificates which are primarily used by large enterprises. Many of these certificates sit inside corporate and government networks and are an important part of the trust fabric of internal communications.

        In short, our assessment based on customer feedback is that the interoperability and compatibility failures that could result from a large-scale certificate replacement or invalidation event would be significant and unpredictable.

        Our Proposal to the Community

        We understand the importance of providing transparency into our CA operations and responding to community questions and feedback to inspire trust. We propose to undertake the following actions in response to browser concerns and customer feedback as well as to increase trust and confidence in our processes and our commitment to the compliance frameworks set forth by the CA/B forum and browser root programs.

        Our EV Process

        Symantec has some of the most comprehensive Extended Validation processes in the industry. We have, on occasion, been criticized for the time it takes us to validate EV certificates while some of our competitors boast rapid (15-20 minute) validation times for EV. We believe that issuing an EV certificate represents the highest bar of certificate validation in the industry and that the process used to validate these certificates must be conducted with the appropriate care. The widespread adoption of Certificate Transparency for EV certificate issuance now makes it possible for independent third parties to compare the accuracy of these issued certificates. One such organization, Netcraft, has been evaluating EV issuance over time. Figure 1 below (source: represents their findings of Symantec EV certificate compliance compared to the rest of the industry.

        CA Blog.png

        Figure 1 - Symantec vs. Rest of Industry on EV Certificate Requirements.

        The Netcraft numbers demonstrate strong EV requirements compliance for Symantec relative to our peers. Our point-in-time and recent period-in-time audits have demonstrated that we are issuing EV certificates in accordance with industry requirements. We are confident in our EV issuance practices, which we have informally benchmarked against other CAs. We believe our EV validation processes are among the most thorough ones employed by any CA. Nevertheless, to reassure the browser community regarding our EV issuance practices we propose to undertake the following:

            1.  We will commission a third party auditor to perform a backward-looking audit of all active EV certificates that have been issued by Symantec to give comfort around the validity and integrity of our EV certificates and our EV certificate issuance practices. This action is proposed as an alternative to Chrome’s suggestion to remove EV treatment of past or future issued EV certificates, which we believe is unjustified. We believe this additional audit of our EV certificates provides full transparency into our EV certificate practices and reaffirms confidence that our active Symantec EV certificates are trustworthy. Our intention is to complete this third party audit by August 31, 2017.

        Registration Authority Authenticated and Issued Certificates

        Historically, Symantec has issued SSL/TLS certificates either directly or through Registration Authority (RA) partners who have issued such certificates on Symantec’s behalf. We want to provide assurance that all Symantec certificates are properly issued. With these issues in mind:

             2.  We will commission a third party auditor to attest to the list of active certificates that had been issued by any prior SSL/TLS RA partner, including CrossCert, Certisign, Certsuperior and Certisur. The purpose of this action is to provide transparency regarding existing certificates validated by RA personnel. We believe this action also provides additional assurance regarding the efforts we have already undertaken to revalidate all active CrossCert certificates as well as review 100% of the certificates issued by the other former RA partners. Further, we will ask our external auditors to audit 100% of the work we have done to revalidate or review and, where necessary, remediate active certificates issued by all of these former SSL/TLS RA partners. Our intention is to complete this third party audit by August 31, 2017.

        Increased Transparency 

        We recognize that an accurate understanding of our past incidents is important to enable an objective evaluation of any proposal regarding this topic. We have responded to, and will continue to review and respond to the salient questions posed on the post at the forum to provide further transparency into our past compliance incidents.

        Furthermore, we understand the importance of providing increased transparency into our CA operations. As part of our effort to do so, we will do the following:

           3.  We will conduct a six month period-in-time WebTrust audit for the period from December 1, 2016 to May 31, 2017. We will thereafter move to a cadence of quarterly WebTrust audits (in lieu of annual period-in-time audits), beginning with the period from June 1, 2017 through August 31, 2017, until such time as we receive four consecutive quarterly WebTrust audits without qualification. The purpose of this action is to provide greater transparency regarding our operations and new certificates issued by Symantec going forward.

           4.  We will publish a quarterly letter to update the community on the progress of our third party audits identified in this proposal and the progress of our continuous improvement program that incorporates the other actions in this proposal.  

           5.  We will work through the CA/B forum to recommend new (or where applicable, updated) guidelines for appropriate customer exception requests to baseline requests. While the CA/B forum has developed a process for exception requests, we believe it should consider further guidelines to assess the risk associated with these requests and determine conditions under which the CA/B forum might expeditiously approve exception requests.

           6.  We will endeavor to improve the timeliness of our responses to the browser community as well as the level of technical detail we provide in them, balancing the interest of the community to receive prompt responses to their questions with the time required to perform the investigative steps necessary to provide thorough responses to such questions.

        Move to Shorter Validity Certificates

        We support the added option of shorter validity certificates, as do several browsers and others in the ecosystem. Shorter validity certificates can reduce exposure in the case of an undetected key compromise, enable faster adoption of improvements to industry standards (e.g. move to ECDSA or SHA3), and drive more rapid remediation of potential TLS-related vulnerabilities (like Heartbleed) that can require certificate replacement.

          7.  By August 31, 2017, we will begin to broadly offer SSL/TLS certificates with three month validity periods to give our customers greater choice and flexibility in the validity periods of the certificates they purchase and deploy from Symantec. From the customer feedback we have received to date, we believe this offering may be most attractive to customers that have already enabled automation, such as customers and partners integrated with our APIs and e-commerce customers with less complex environments. In addition, we will continue our investments in automation to enable organizations with even the most complex infrastructure to practically and cost-effectively adopt shorter validity certificates. Our near term investments will focus on modernizing our certificate issuance systems and workflows to enable faster issuance, and developing tools that enable customers to rapidly and securely implement their certificates and configure their systems.

          8.  We will perform a domain revalidation of all issued certificates that have a validity period longer than nine months at the nine-month mark (at no additional cost to our customers). This approach is intended to balance the customer impact of replacing certificates, for those not ready to move to shorter validity certificates, with visibility that ensures that certificates are being used appropriately. We commit to working with the browser community regarding appropriate transparency mechanisms (e.g., an extension of CT logging, OCSP extension, signed DNS text record, or signed revalidation list) that provide an attestation to this revalidation and ensure accountability of our implementation of this action. An initial certificate validation is one level of authentication. Certificate domain revalidation post-deployment further extends the trustworthiness of the initial certificate, which is a positive extension of the CA trust model.

        Continuous Improvement of our CA Operations

        We seek to continuously improve our systems and processes around certificate issuance. With this in mind:

          9.  We are further increasing our investment in the Security and Risk function of our CA operations, with a focus on our security and compliance controls and risk assessments. As a first step, we are commissioning a third party to conduct a process and systems risk assessment of our CA operations. The scope of this assessment will include an inventory of our systems and use cases, and a review of the security controls we have in place with respect to all of our PKI services, including SSL/TLS certificates. This third party assessment will also incorporate red teaming and penetration testing of our processes and systems beyond what we do already. The purpose of this third party risk assessment, which we expect to complete by October 31, 2017, is to provide increased confidence in the risk management posture of our CA operations beyond WebTrust audit reports.

        10.  We will update our Root Program to more directly compartmentalize different certificate use cases. This update will involve creating dedicated roots and/or sub-CAs, for example, to segment customers who today use our publicly trusted hierarchies for closed ecosystems like set-top boxes, for customers who have mixed ecosystems like point-of-sale systems and ATMs which connect to the same servers as browser-based applications, for customers who choose to use longer validity certificates, or for customers who serve disproportionately large web traffic. As certificates expire, we will issue new certificates that chain to the use case-appropriate roots.

        11.  Industry analysts estimate that 50% or more of all network attacks targeting enterprises this year will take advantage of SSL/TLS encryption to bypass security controls. We believe that CAs have a necessary and critical role to play in validating whether an encrypted website is malicious. Symantec’s technology infrastructure includes a Global Intelligence Network that analyzes websites, domains, servers and web services at scale and runs both real-time and background checks on such external hosts, including over a billion previously unseen and uncategorized websites a day. Our Global Intelligence Network includes technology that categorizes websites into over 80 categories – e.g., “Financial Services,” “Education,” “Malicious Sources/Malnets” or “Suspicious” – based on linguistic analysis, inter-site relationships, host-attribute analysis and reputation and history. Modules within our Global Intelligence Network analyze site content such as images, video and embedded links and can run in-depth content analysis in over 50 languages to help categorize sites and identify potential risk. We will begin to use our Global Intelligence Network to identify encrypted websites that have an increased threat risk based on our rating categorization and take appropriate action to mitigate risk for our certificates associated with such sites.

        Even though our past mis-issuance events have not, to our knowledge, resulted in customer harm, we consider compliance with industry standards a critical responsibility of our CA business. We believe our multi-faceted proposal addresses the concerns regarding the trustworthiness of Symantec’s past and future SSL/TLS certificate issuances. We also believe our proposal appropriately balances these concerns with the significant compatibility and interoperability risks, as well as customer burden, which would result from any proposal that limits the trust of existing Symantec SSL/TLS certificates, imposes shorter validity periods on newly issued Symantec certificates and/or removes EV recognition for our certificates in browsers.

        We welcome constructive feedback to our proposal, which we understand may take time for the Internet community to fully consider. In the meantime, we will continue to solicit feedback from our customers and partners, which are important stakeholders that will be impacted by changes to our operations, whether as a result of our proposal or any other.

        • Products
        • Products and Solutions
        • DigiCert Complete Website Security
      • The modern eCommerce landscape: How compliance impacts success

        Apr 20 2017, 10:15 PM

        by Rufus Connell 0

        The more we rely on the web for personal and business use, the more important it is to keep it (and ourselves) safe from cyberthreats. The bulk of this responsibility falls on those in charge of websites, but once you understand the evolving cybersecurity landscape, you’ll realize you can actually shape it to your business advantage.

        Ushering in a new era of cybersecurity
        Key internet stakeholders, including web browsers, cybersecurity companies and organizations in the payment card ecosystem are joining forces and redefining best practices to create a safer, more sustainable internet:

        •    Chrome and Firefox are displaying “Not Secure” warnings on certain web pages that are not encrypted.
        •    Symantec and other security providers are supporting widespread data encryption.
        •    Payment card companies continue to innovate and drive stronger fraud prevention.

        The Payment Card Industry Security Standards Council (PCI) recently updated an important Best Practices for eCommerce Report. The update was created in collaboration with a special interest group including representatives from Symantec as well as merchants, financial institutions, service providers and other payment security professionals. The report offers:

        •    Additional guidance to the PCI Data Security Standards Guide (PCI DSS)  about best practices for securing eCommerce implementations.
        •    Useful information for selecting SSL/ TLS certificates (and the certificate authorities which provide them), especially those which are most appropriate for unique eCommerce environments.
        •    Questions merchants should ask their certificate authorities, eCommerce solution partners and other service providers.

        Staying ahead of these evolving best practices can help you not only protect your customers and your website —but improve your business and profitability.

        The stakes are high
        Cyberthreats are more pervasive than ever before. Customers are increasingly concerned about fraud, and failure to adhere to the latest compliance benchmarks can significantly impact your businesses. If a data breach occurs:

        •    Consumers lose confidence in your brand, making it difficult (if not impossible) to restore your image.
        •    The brunt of financial responsibility typically rests on merchants.
        •    Other liabilities exist in the form of fines and penalties, legal costs, lost jobs and more.

        In short, it all comes down to good governance. Without it, your site and your brand are at risk. With it, the eCommerce world is your oyster, and credibility and profit are the pearls within. 

        The road to success is paved with best practices
        Rather than burdening your business, compliance to evolving standards can actually open up new avenues of opportunity. But to capitalize upon them as an online merchant, your responsibilities include:

        •    Ensuring secure development of software and confirming Payment Application Data Security Standard (PA-DSS) validation of third-party apps
        •    Maintaining written agreements with third parties to ensure cardholder data is protected
        •    Strengthening SSL/TLS certificate authentication, minimizing risk and more

        The better you understand security guidelines, the easier it will be to stay competitive and build a sustainable online business.

        Ready to learn more?
        Register now to attend Online Trust: Where Compliance Meets Profitability, a live webinar that will be held on April 26 at 10 a.m. PST. Representatives from Symantec and VISA, key members of the PCI special interest group, will explore the intersection of compliance and profitability – and how the latest internet security best practices can benefit you, your customers and your business. 

        • Products
        • DigiCert Code Signing
        • Products and Solutions
        • Symantec Website Security
      • An Update for our Symantec CA Customers

        Oct 20 2017, 9:14 PM

        by Roxane Divol 0

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below: 


        It's important that we keep the lines of communication open with you as we continue to deliberate possible changes to how we support your website security needs in response to Google's proposal. There is no doubt that these proposed changes would create a ripple effect across the entire industry. Following up on my previous Message To Our CA Customers, I wanted to provide you with an update on the progress we have made in response to Google's proposals.  

        In the weeks since Google shared its initial proposal, we have met with Google several times and have also embarked on an industry-wide listening tour to understand the impact that any changes may cause to our customers, partners, and the PKI ecosystem. Our goal is to find a combined path forward that will ensure business continuity for our customers and peace of mind for all browsers and other industry stakeholders.  

        These conversations have been both encouraging and instructive. And the input we've received from our industry stakeholders, partners, and most importantly, our customers, gives us confidence that we can come to the table with an alternative proposal that will serve the shared interests of the entire industry.  

        We have also heard consistently from customers like you that the transition to fully adopt Google's proposal within its suggested timeframe would cause significant business disruption and additional expense - especially within complex IT infrastructures. Mitigating these concerns is a top priority for us as we develop our counter proposal and provide responses to the salient questions the community has posted online. While we believe Google understands the burden their proposal creates, if they decide to move ahead with their original plan, I want to reassure you that Symantec will keep your websites, web servers or web applications operational across all browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period.  

        While we've made solid progress, we have plenty of work left ahead of us and I hope you will continue to consider us a trusted security partner as we address the challenges before us. I firmly believe that the only way to improve is by listening. If you have thoughts on shorter validity certificates, automation, or the value of extended validation (EV), please don't hesitate to reach out to me or voice your concerns anonymously by participating in a brief online survey.  

        Your input is invaluable and I thank you for your continued support.  

        Best regards, 

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Leveraging Information Driven Product Design to Accelerate Speed to Market

        Apr 16 2017, 12:58 AM

        by Nikon Rasumov 0

        • CIG
        • Cyber Insurance
        • CI Plus Device Credentials
        • IDPD
        • Blue Coat Data Loss Prevention (DLP)
        • Anomaly Detection for Industrial Control Systems
        • Advanced Threat Protection
        • Information-driven product design
        • Advanced Threat Protection Roaming
        • Products
        • CacheFlow
        • Thought Leadership
        • Authentic Document IDs for Brew
        • Advanced Threat Protection Endpoint
        • Certificate Lifecycle Platform
        • Data Loss Prevention and CASB - Symantec DLP Cloud and Symantec CloudSOC
        • Cloud-Delivered Web Security Services
        • Cloud Workload Protection
        • Data Loss Prevention Cloud Service for Email
        • Advanced Threat Protection for Email
        • Anomaly Detection for Automotive