Security vendor Symantec has sacked a number of employees for issuing fake, internal testing digital certificates for Google, at least one of which leaked onto the internet.
The certificates were issued on September 15 Australian time by Symantec subsidiary Thawte for three domains that the company did not name. Symantec did not disclose how many testing certificates were released, saying only that it was "a small number".
It has since been revealed that Thawte issued extended validation (EV) certificates for google.com and www.google.com. EV certificates are issued to provide a greater level of authentication to sites and domains than standard certificates.
Although Symantec stated that "all of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue," Google found one of the digital bona-fides, as did certificate provider Digicert.
Google updated the revocation metadata in its Chrome web browser to include the public key for the mis-issued Thawte certificate, which was only valid for a single day. The online giant does not believe its users were at any risk because of the bogus certificate.
As a result of the issuance of the bogus certificates, Symantec said it had fired those responsible.
"Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process.
"Because you rely on us to protect the digital world, we hold ourselves to a 'no compromise' bar for such breaches. As a result, it was the only call we could make," Symantec's Quentin Liu and Charlene Mike-Billstrom said.
