First in 2015, then much more emphatically in early 2017, Google (and other browser developers, notably Mozilla) charged that Symantec and its partners were improperly issuing certificates, violating the rule set by the CA/Browser Forum, a standards groups whose members include browser makers and certificate authorities.
Google decided that Symantec's problems were endemic, and that the accumulating incidents were proof that the CA could not be trusted to issue the certificates that were, in fact, the basis of trustworthiness on the Web – proving that, say, a website is what it claims to be, and not a fake that would steal users' money or credentials or data.
That Google was able to force Symantec to comply with its demands, and then in early August actually sell its CA business to Utah-based DigiCert – withdrawing from the industry altogether – speaks to the power of the search giant, notably its Chrome browser. "Clearly, Google is very, very powerful," said Mahdi.
In this case, Google's power, "leverage" may be a better word, comes from the dominance of Chrome. According to metrics vendor Net Applications, Google accounted for nearly 60% of the world's browser user share, an estimate of the portion of the globe's personal computers that used Chrome to reach sites during August. Chrome's command of the browser market has been a relatively recent phenomenon: Google only passed Microsoft as the planet's most popular browser maker in May 2016.
If Google decided to untrust all Symantec certificates, site operators would have no choice but to replace those certificates. If they did not, they would risk losing a landslide majority of potential customers, who would be motivated to patronize rivals' websites secured by other CA certs. Notably, financial firms would face a hurricane of customer complaints when they were told to drop Chrome and pick another browser.
While Mozilla has raised similar complaints, Firefox's maker would almost certainly not have been able to pressure Symantec to radically change its CA practices and processes, simply because of that browser's place. In August, for instance, Net Applications pegged Firefox as having a global user share of just 12%, a fifth of Chrome's.
Although companies are staring at calendar dates as close as next spring, there is no clear direction yet from either Symantec or its successor, DigiCert, on the process of replacing the soon-to-be-untrusted certificates.
Gartner's Mahdi pointed out that he was in the dark as much as Symantec's CA customers, even after speaking with executives from both that firm and DigiCert.
"How are the certificates going to be migrated? What's the pricing going to look like?" Mahdi asked, citing unanswered questions that Gartner's clients have posed to him. "What clients want is a game plan."
Sign up for Computerworld eNewsletters.