Google has taken the unusual action of taking to task Symantec for supposedly sloppy enforcement of its digital certificates. What is payments-relevant here is that digital certificates—even when executed perfectly—do not deliver to shoppers the security assurances that most shoppers assume.
What the payments space needs are true e-commerce certificates, that actually represent security assurances for the site, not merely that the company is truly behind that domain. A cyberthief trying to rip shoppers off would also take the effort to properly register his domain.
Why not actually test a site’s security as well as establish that it is a legitimate business behind it? Granted, it’s hard to make a business case for that when consumers incorrectly think that’s what today’s certificate do.
Back to the Google Symantec spat. Google’s team opted to adopt some attitude in the posting—not that that is necessarily a bad thing.
“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera,” Google’s post said. “However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work.”
Google’s response: “It’s obviously concerning that (Symantec) would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore, we are firstly going to require that, as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.”
Hold on. Symantec was this slipshot and you’re giving them eight months to support what they should always supported? Where is this lenient Google hiding whenever a retailer slightly violates one of its search engine rules?