There is an African proverb: “When elephants fight the grass suffers.” I think this fairly describes the “knife fight” — a popular term in some recent media coverage of the American presidential transition — between Google and Symantec recently.
As described on our status blog, a bug (Google, Symantec) in the Google Chromium web browser caused Chromium users to see certificate errors when trying to access websites secured with valid certificates issued by Symantec and it’s subsidiaries — e.g., Geotrust, RapidSSL, Thawte and possibly others too. This included large websites such as Amazon, Flickr and Yahoo.
The knife fight first came to our attention probably a year or so ago, likely in an email from the certificate authority (CA) that we use for most of the SSL certificates we sell to clients and use ourselves. That CA is RapidSSL, a subsidiary of Symantec.
Now, it seems that Symantec did something bad in 2015: they created some certificates for domains that had neither requested nor authorised them. This was likely for testing purposes, although you do have to wonder about the IQ of the person at Symantec who authorised this. Google was particularly annoyed, because two of those certificates were for google.com and www.google.com.
What followed was some serious holier-than-thou public finger wagging at Symantec by Google, pontification worthy of a schoolmarm armed with a wooden ruler rapping the knuckles of the Symantec child. Bad, bad Symantec, now we’re going to shame you and be nasty to you in public, and tell you how you should be running your business. Which is all well and good, because Symantec did something stupid and should suffer the consequences.
One of those consequences was Google using the power it wields by virtue of the fact that it creates the most popular web browser on the planet — power that Microsoft used to wield, and also abused — to single out Symantec certificates for special treatment. (Why Google Chrome [and its progenitor Chromium] are so popular is beyond me. I’ve used Chromium and Chrome as secondary browsers on Linux and Windows machines, but my personal experience is that it’s slower and less configurable than Firefox.) Starting in June 2016 Google required Symantec to jump through hoops it doesn’t require of other CAs. Is that abuse of power? Some say no, and it’s difficult to disagree with them. However, Google then also did something bad and stupid themselves, by creating a situation that led to what they’ve called a “time bomb”, meaning that most (if not all) Symantec certificates stopped being trusted by Google Chromium in early to mid-November.
The upshot of this is that it was innocent third parties — the proverbial grass, the customers of Symantec that bought their certificates, and some users of Chromium — that were hurt by this knife fight. I’d love to know how much business Amazon lost as a result, and if we can expect a lawsuit and a payout from Google.