pixel_dreams - Fotolia
Risk & Repeat: Mozilla joins the Symantec certificate authority debate
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss mounting pressure on the Symantec certificate authority business to provide answers about its practices.
The browser community is demanding answers about questionable practices within the Symantec certificate authority business, and the antivirus vendor is officially on the clock.
Last week, Mozilla developers gave Symantec a deadline of Thursday, Apr. 20, to provide adequate responses to several questions regarding its certificate authority practices.
Mozilla recently published a list of 14 confirmed or suspected major issues with Symantec certificate authority, including misissuing test certificates and issuing outdated SHA-1 certificates, from over the course of several years.
The Mozilla developers' actions follow an investigation by Google's Chromium team, in which it found a series of failures by Symantec to properly issue and validate certificates. The Chromium team proposed stern actions against Symantec, including incremental distrust of the company's certificates.
While Symantec has responded to some of the issues outlined by Mozilla, representatives from both Mozilla and Google have found the responses to be lacking, and have asked for more information about Symantec's certificate authority practices, policies and audits before the deadline.
Symantec has denied any wrongdoing, and has accused Google of singling the company out and acting irresponsibly.
Will Symantec come up with answers before the deadline expires? What actions will Google and Mozilla take against Symantec if it doesn't provide more information? What do these latest developments say about the state of the certificate authority industry today?
In this week's episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the Symantec certificate authority controversy.