Comodo has announced an upgrade programme for Symantec, Thawte and GeoTrust certificates. This programme is designed to take advantage of the problems facing Symantec’s certificate business. Over the last three years it has suffered a number of problems at the division with staff issuing improper certificates. Back in 2015 it even fired a number of staff for failing to maintain a secure issuance process.
This time the problems are having significant consequences. Google has announced that it is going to severely restrict the trust and renewal times of certificates issued by Symantec. Google Chrome has a majority of the browser market. This is a major problem for any customer using a certificate issued by Symantec, Thawte and GeoTrust.
What has caused this problem?
In March, Google publicly berated Symantec for mis-issuing 30,000 HTTPS certificates. This was more than just a war of words. Google also said that it was going to limit the use of Symantec certificates in Google Chrome. It would no longer provide the Green Padlock in the URL bar to indicate users were using a trusted and secure site.
Since then Google has backtracked. On May 19, Ryan Sleevi, Google Software engineer updated an earlier blog talking about the blocking of Symantec certificates. Sleevi detailed how Google and Symantec were moving forward to solve the problem. By August 2018, all Symantec-chaining certificates have to be issued by Managed Certificate Authorities. These are trusted third-parties who will be responsible for checking certificates are issued correctly.
What does this mean?
Comodo is offering to provide an equivalent certificate to any issued by the three CA’s named. The deal includes a free year for all customers who move to Comodo or its partners. What isn’t clear in the release is how much it will cost customers to make the move.
While this deal is focused on the problems facing Symantec and its subsidiaries they are not alone in having issues. Several companies have been hit by fake certificates in recent years including Google. Cybercriminals are always keen to get hold of fake certificates as it makes it easier to set up legitimate looking sites.
It will be interesting to see if this move by Comodo will stop at targeting Symantec owned businesses. There are a lot of smaller certificate authorities out there who could find themselves a target for this type of offer.