Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Google Tells Symantec to Improve Digital Certificate Security

Google is displeased with Symantec’s digital certificate issuance practices and has asked the security firm to step up its game in order to avoid problems when its certificates are used in the Internet giant’s products.

Google is displeased with Symantec’s digital certificate issuance practices and has asked the security firm to step up its game in order to avoid problems when its certificates are used in the Internet giant’s products.

In mid-September, Google learned that Symantec’s Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for google.com domains. The certificate, which had not been requested or authorized by Google, was discovered in Certificate Transparency logs, which Chrome requires for all EV certificates issued after January 1, 2015.

Symantec said the certificates were only issued for testing purposes by its internal QA team and they had not posed a risk to users and organizations. An initial audit conducted by the security firm revealed that a total of 23 test certificates were issued for six domains owned by Google, seven owned by Opera, and ten owned by three other organizations.

A follow-up investigation sparked by questions from Symantec’s industry partners revealed that an additional 164 certificates covering 76 domains had been inappropriately issued. Furthermore, the company issued more than 2,400 test certificates for unregistered domains, despite the fact that this practice is not allowed since April 2014.

“We are committed to accelerating the adoption of Certificate Transparency logging for all certificates that we issue, by adding support for Organization and Domain Validated certificates, and expect most of that work to be complete by the end of 2015,” Symantec said in its report on the test certificates incident. “We have also begun our annual audit process and are expanding its scope in the wake of these recent instances, in order to ensure we have independent confirmation that no other issues remain. We anticipate the audit will take three to six months, and once it is complete we will share any key findings.”

While Symantec insists that the risk associated with the issuance of the test certificates is minimal, such certificates can be highly valuable in the hands of malicious actors because they can be leveraged to impersonate the domains they cover.

“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,” Google software engineer Ryan Sleevi said in a blog post on Wednesday.

According to Sleevi, all Symantec-issued certificates, not just EV certificates, will be required to support Certificate Transparency by June 1, 2016. After this date, newly issued certificates from Symantec that don’t adhere to this policy could encounter problems, such as interstitial webpages, when used in Google products.

Google also wants Symantec to update its public incident report with a post-mortem analysis explaining why the additional certificates were not detected in the company’s initial review, and details on why it failed to uphold existing requirements.

“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public,” Sleevi said.

Symantec is also expected to undergo a point-in-time readiness assessment and a third-party security audit.

Symantec has provided SecurityWeek the following statement:

“In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold.

 

We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”

*Updated with statement from Symantec

Related Reading: Google Finds Unauthorized Certificates Issued by Intermediate CA

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...