Google slams Symantec for sloppy digital cert handling

By on
Google slams Symantec for sloppy digital cert handling

Security vendor must undergo audits to not be blocked.

Google is putting the pressure on Symantec after the security vendor was found to have issued a large number of fake digital certificates that accidentally found their way onto the internet.

Digital certificates are issued to authenticate and encrypt Secure Sockets Layer/Transport Layer Security (SSL/TLS) data traffic across the internet.

A wrongly issued certificate by a trusted person or an organisation could be used to intercept and subvert SSL/TLS protected traffic, which underpins e-commerce, banking, government and other important services.

In September this year, Symantec said it had fired a number of staffers for issuing fake testing certificates for the and domains, which had leaked out on the internet.

Symantec would not disclose at the time how many bogus certificates its subsidiary Thawte had issued.

A later audit by Symantec showed that as many as 23 test certificates had been issued, covering five organisations, including Google and competing browser vendor Opera.

The bogus certificates had been issued without the domain owners' knowledge, and more were being found in Google's Certificate Transparency system logs, according to Ryan Sleevi, a software engineer with the search giant.

Google worked with other certificate root store operators to verify the findings of bogus digital bona-fides, which prompted Symantec to conduct a second audit.

That audit [pdf] unearthed a further 164 bogus certificates for 76 real domains. A whopping 2458 certificates [pdf] were found for domains that were never registered.

"It’s obviously concerning that a Certifcate Authority would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit," Sleevi wrote.

Google is now demanding that Symantec conduct a further investigation into why it did not discover the bogus certificates.

Sleevi said Google wants to know why Symantec failed to meet the basic requirements [pdf] and extended validation guidelines for certificates.

Google said the security firm must undergo a point-in-time readiness assessment to ensure it is fit to run a certificate authority, if Symantec is to be trusted by Google for certificates.

Symantec must also go through a third-party security audit to work out if, as the firm claimed, no private keys were exposed to employees during the issuance of test certificates. 

Sleevi said the audit must asses whether Symantec employees could obtain certificates for controlled private keys. Symantec's audit logging mechanism must also be scrutinised to ensure it is protected from modifications and deletions as well as tampering.

The results of the audits and assessments may not be made public however, if Symantec considers the information confidental.

From June 1 2016, all Symantec-issued certificates will be required to support Google's Certificate Transparency mechanism.

If after that date newly-issued Symantec certificates do not conform to the Chromium Certificate Transparency policy, Sleevi said it could result in Chrome and other Google products displaying warning interstitials.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?