The certificate war

Sven Krumrey

Google is peeved. And every time Google is enraged, Chrome, the market leader among browsers, is readied for battle. This time, it's about certificates, a cornerstone of the Internet and data security. With the upcoming versions 66 (scheduled for April) and 70 (October), Google seeks to make the web more secure - and tries to settle a few scores in the process. Read on to learn why many sites will soon be flagged as "insecure" and disappear from the top search results!

The bone of content

Google wants to make the web a safer place, maybe out of self-interest to some degree (i.e. product maintenance) but also because there's a real need for better security. Since the Internet is international and decentralized, there is no single regulatory body. That's why, every now and then, companies team up with states to effect change, or IT giants (here: Google) use their dominance to push things through on their own initiative. First, sites without HTTPS encryption will come under fire. HTTPS encryption is essential to exchange data securely.

Without encryption, anything sent through the Internet is readable as plain text by anyone with network access - a perfect opportunity for man-in-the-middle attacks. HTTPS allows web servers and clients to establish an encrypted connection that is hard to crack while giving users the certainty that the sites they visit are authentic. This is indicated by a padlock symbol next to the URL in the address bar. Clicking the lock reveals additional details about the certificate and its owner.

In the past, HTTPS certificates were like status symbols and only used by large online stores, banks and government institutions while the rest could only pray and hope for the best. Certificates were expensive and difficult to set up which is why smaller sites either shunned the effort or simply couldn't afford it. Over the past few years, HTTPS certificates have dropped in price and campaigns like "Let's Encrypt" even gave them out for free now. Does that mean all is well?

An essential building block of Internet security

Not quite, since at least 30% of sites either can't or won't participate. Some web hosters only accept expensive certificates issued by commercial providers - maybe because they don't want to fall out of favor with them. In other cases, site providers simply have no motivation to use HTTPS, and I can understand that as long as those sites are run by private individuals. Anyway, Google has now begun to tighten the reins. Sites that do not use HTTPS will soon be marked "Not secure" in Chrome which may scare off a few users. Firefox will join in the effort starting with version 60 and other browser developers will likely follow suit. And as if that wasn't enough, affected sites will also be downranked in Google's search results and we all know that no-one ever looks past page 1 of those results!

In this light, the clash between Google and Symantec feels almost personal. It can be objectively said that Symantec has engaged in some shady practices when issuing certificates in the past. Back in 2015 when three certificates were made out in Google's name (without their knowledge), Symantec already received a sharp rebuke. In 2017, Google then accused Symantec of having incorrectly issued over 30,000 certificates without proper verification of future holders. Others received certificates for domains they didn't own. Imagine what criminals could do with a certificate issued in the name of a bank or a big online store!

No HTTPS, no secure connection

Again, the loss of trust will carry severe consequences. As of April 17, Chrome will display a warning for certificates created by Symantec before June 2016 and notify users that their connections are insecure and prone to interception. If this happened to an online store, it would be a disaster. In October, these warnings will be further escalated even though there will be no blocking (yet). It's reasonable to assume that search rankings will also be adjusted accordingly resulting in further downranking. So far, many big names including Tesla are directly or indirectly affected.

As always on the Internet, reactions are mixed. One side praises Google for their security work and accuses Symantec of bringing the "holy grail" of online certificates into disrepute (Whom can you trust once HTTPS is no longer secure?) while others see Google overstep their boundaries. They argue that Google is trying to distract from their own problems like various data security issues in their products. And anyway, who made Google town sheriff? Yes, they have considerable market power but does this give them the right to put millions of web sites at a disadvantage and to harm a company like Symantec with over 11,000 employees? Does the end justify the means in this case?

What do you think?

Back to overview

Write comment

Please log in to comment