Symantec tricked into revoking SSL certs with fake keys

A bogus private digital key was sufficient to fool security vendor Symantec into revoking a transport layer security (TLS) certificate for a domain, a researcher has discovered.

Hanno Böck.

German freelance infosec journalist Hanno Böck set out to test if certificate authorities like Comodo and Symantec have rigorous processes in place to check the legitimacy of private keys for digital certificates.

Certificate authorities are expected to revoke TLS credentials if the private keys have been compromised; Böck said certificate issuers should cryptographically check that the private key in question belongs to the purported TLS credential.

Böck registered two test domains with his identity hidden, and obtained TLS certificates via Symantec's RapidSSL brand as well as Comodo.

He then created fake private keys for both domains, uploaded them to the Pastebin website, and reported to Comodo and Symantec that the keys had been compromised.

Where Comodo spotted that the key for the domain certificate was fake, Symantec accepted the one in Böck's report and revoked the certificate.

"No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also faked private keys of other peoples' certificates," he wrote.

"Very likely Symantec would have revoked them as well, causing downtimes for those sites. I even could’ve easily created a fake key belonging to Symantec’s own certificates."

He also noted that Symantec didn't tell the domain owner the certificate was revoked because of a key compromise, potentially leaving administrators unable to figure out why the credential had been pulled.

Böck said there was no excuse for Symantec's approach.

"It indicates that they [Symantec] operate a certificate authority without a proper understanding of the cryptographic background [required]," Böck said.

Symantec has been criticised by Google in the past for mis-issuing certificates. Google threatened to distrust Symantec's certificates in its Chrome web browser as a penalty.

The security vendor has been contacted for comment.

Update: Symantec technical director Rick Andrews confirmed the issue and thanked Böck in a blog post. 

Andrews said Symantec performed a modulus comparison as part of its public and private key verification, but this was "incomplete as other parameters in the keys were not checked".

He said the procedure had been corrected, and promised to communicate better with certificate owners when third-party revoke requests occur. 

Symantec said it wasn't aware of any other customers having been impacted by the faulty verification process for certificate revocations.