Symantec vs. Google: Conflict at the internet’s root of trust

One of the fundamental goals of internet security is to ensure that when users interact with a website, they are interacting with who they think they are and not with a phishing site or victimized by a so-called man-in-the-middle attack. Achieving this level of security requires collaboration and trust between the makers of web browsers, such as Apple, Google, and Microsoft on the one hand, and certificate authorities, such as Comodo and Symantec on the other. For one of the biggest browser vendors and one of the biggest certificate authorities, that trust appears to be fraying.

On March 23, Google announced that they “no longer have confidence in the certificate issuance policies and practices of Symantec,” one of the largest certificate authorities. Google’s Chrome web browser would therefore apply special scrutiny to Symantec; older certificates would no longer be trusted, so-called “extended validation certificates” would no longer be honored, and the level of trust expressed to users would be reduced. This comes after repeated public incidents in which Symantec created and issued certificates that do not accurately identify the bearers.

What is striking about the Google-Symantec conflict is that it imposes considerable costs on a range of companies who have no legal relationship with Google. Websites with Symantec certificates will need to pay for more renewals and perhaps will need to switch to certificates from another vendor. Symantec itself will doubtless have increased costs and lost business as a result. As far as I can tell, Google has acted in response to a long series of clear mistakes by Symantec. But suppose Symantec or its customers disagree and wish to pursue legal action, it’s not clear how they would. Symantec sells certificates to websites, but Google has no evident legal obligation to trust Symantec’s certificates. Manufacturers have no general duty to make interoperable products. When Apple changes its laptop design and previous third-party add-ons no longer work, the add-on vendors cannot sue for lost business.

When a dispute between companies A and B can result in significant costs for C, and C has no legal remedy, regulation is sometimes the right answer. One might imagine Congress or the Federal Trade Commission (FTC) imposing minimum levels of care on certificate authorities or requiring some level of explanation for browser decision-making. I do not believe any such regulation would be appropriate at the present time: the technology ecosystem changes too quickly, the level of harms here are fairly small, and the cost of regulation is potentially high. Moreover, the makers of browsers and certificate authorities are global companies — it would be improvident for the US to proceed here without concern for the potential international commercial repercussions. But policymakers would be well served to pay attention to future disputes between the makers of browsers and certificate authorities and think about what sorts of remedies might be effective if these disputes become more frequent, severe, or costly.


Σχετικά Άρθρα