Google Tells Symantec to Improve Digital Certificate Security

Google is displeased with Symantec’s digital certificate issuance practices and has asked the security firm to step up its game in order to avoid problems when its certificates are used in the Internet giant’s products.

In mid-September, Google learned that Symantec’s Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for google.com domains. The certificate, which had not been requested or authorized by Google, was discovered in Certificate Transparency logs, which Chrome requires for all EV certificates issued after January 1, 2015.

Symantec said the certificates were only issued for testing purposes by its internal QA team and they had not posed a risk to users and organizations. An initial audit conducted by the security firm revealed that a total of 23 test certificates were issued for six domains owned by Google, seven owned by Opera, and ten owned by three other organizations.

A follow-up investigation sparked by questions from Symantec’s industry partners revealed that an additional 164 certificates covering 76 domains had been inappropriately issued. Furthermore, the company issued more than 2,400 test certificates for unregistered domains, despite the fact that this practice is not allowed since April 2014.

“We are committed to accelerating the adoption of Certificate Transparency logging for all certificates that we issue, by adding support for Organization and Domain Validated certificates, and expect most of that work to be complete by the end of 2015,” Symantec said in its report on the test certificates incident. “We have also begun our annual audit process and are expanding its scope in the wake of these recent instances, in order to ensure we have independent confirmation that no other issues remain. We anticipate the audit will take three to six months, and once it is complete we will share any key findings.”

While Symantec insists that the risk associated with the issuance of the test certificates is minimal, such certificates can be highly valuable in the hands of malicious actors because they can be leveraged to impersonate the domains they cover.

“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,” Google software engineer Ryan Sleevi said in a blog post on Wednesday.

According to Sleevi, all Symantec-issued certificates, not just EV certificates, will be required to support Certificate Transparency by June 1, 2016. After this date, newly issued certificates from Symantec that don’t adhere to this policy could encounter problems, such as interstitial webpages, when used in Google products.

Google also wants Symantec to update its public incident report with a post-mortem analysis explaining why the additional certificates were not detected in the company’s initial review, and details on why it failed to uphold existing requirements.

“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public,” Sleevi said.

Symantec is also expected to undergo a point-in-time readiness assessment and a third-party security audit.

Symantec has provided SecurityWeek the following statement:

“In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold.

 

We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”

*Updated with statement from Symantec

Related Reading: Google Finds Unauthorized Certificates Issued by Intermediate CA