​Shape up or die, Google tells Symantec

Symantec needs to fully explain how it came to issue rogue digital certificates for Google domains or face the wrath of Google and a Chrome blockade.

Google doesn’t mess around when it comes to certificate authorities (CA) that issue bogus certificates for domains that could allow attackers to stand between its end-users and itself.

A case in point was Dutch CA DigiNotar. A hacker stole hundreds of certificates from the CA, some of which were used to compromise Iranian citizens’ connections to Google, which in 2011 discovered and publicised the issue. The CA went bust after browser and operating system makers removed the firm’s root certificate from their trust stores, leaving DigiNotar’s prime function — to sell digital certificates used to encrypt browser sessions and validate a website’s authenticity — worthless.

DigiNotar was a minor CA but Symantec, the world’s largest security software vendor, is a top issuer of SSL certificates.

Symantec was called out by Google in September for issuing rogue Extended Validation SSL certificates for three Google domains. Google discovered the rogue certificates after checking so-called “Certificate Transparency” logs.

Troubling for Symantec, it knows the implications of bogus SSL certificates, having busted Gogo, a US inflight wifi provider in January for spoofing SSL certificates for Google sites.

After Google raised the issue, Symantec fired several staff and vowed to prevent human error causing a repeat. Unlike the DigiNotar incident, Symantec stressed it never caused a threat to the Internet; the certificates were issued during an internal testing process at Symantec.

However, nearly a fortnight after Google’s notification, Symantec revealed it had issued 23 dubious test certificates, including three unnamed organisations as well as Google and browser maker Opera.

The problem for Google — and why it’s now threatening tougher action against Symantec — is that after Symantec's admission it found more “questionable” certificates from the company.

So, on October 6, Google decided to share its findings with other root store operators. Though not named, they likely include Microsoft, Apple, Mozilla and Opera, which all removed trust for DigiNotar.

Google’s intent was to allow them to assess and verify its research, according to Ryan Sleevi, a Google software engineer.

But given the fate of DigiNotar, the move turned up the heat on Symantec.

A week later, Symantec produced a report based on yet another audit, revealing it had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered, said Sleeve. Some of the certificates were issued in 2009, a year before Symantec acquired the CA Thawte from Verisign.

In any case, Google isn’t satisfied with Symantec’s response and will now, as far as it can control, put Symantec on a leash.

“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency,” said Sleevi.

“In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner,” he said.

Google has also demanded Symantec immediately update its public incident report to explain why it didn’t detect the certificates Google found and why it flattered, as well as a plan for how to prevent a repeat that it can disclose privately to Google.

With the threat of removing trust of Symantec certificates, Google says it also expects the security vendor to undergo an independent security audit to verify that it’s private keys weren’t exposed to employees, which could have abused them.

“We may take further action as additional information becomes available to us,” said Sleevi.

Security ALERT!

Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.

Gigamon Transform Security Zone

Join the CSO newsletter!

Error: Please check your email address.

Tags certificate authorities (CA)symantecGoogleSSL Certificates​Shape upDigiNotar

More about AppleCSOGigamongogoGoogleMicrosoftMozillaSymantecThawte

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place