Symantec needs to fully explain how it came to issue rogue digital certificates for Google domains or face the wrath of Google and a Chrome blockade.
Google doesn’t mess around when it comes to certificate authorities (CA) that issue bogus certificates for domains that could allow attackers to stand between its end-users and itself.
A case in point was Dutch CA DigiNotar. A hacker stole hundreds of certificates from the CA, some of which were used to compromise Iranian citizens’ connections to Google, which in 2011 discovered and publicised the issue. The CA went bust after browser and operating system makers removed the firm’s root certificate from their trust stores, leaving DigiNotar’s prime function — to sell digital certificates used to encrypt browser sessions and validate a website’s authenticity — worthless.
DigiNotar was a minor CA but Symantec, the world’s largest security software vendor, is a top issuer of SSL certificates.
Symantec was called out by Google in September for issuing rogue Extended Validation SSL certificates for three Google domains. Google discovered the rogue certificates after checking so-called “Certificate Transparency” logs.
Troubling for Symantec, it knows the implications of bogus SSL certificates, having busted Gogo, a US inflight wifi provider in January for spoofing SSL certificates for Google sites.
After Google raised the issue, Symantec fired several staff and vowed to prevent human error causing a repeat. Unlike the DigiNotar incident, Symantec stressed it never caused a threat to the Internet; the certificates were issued during an internal testing process at Symantec.
However, nearly a fortnight after Google’s notification, Symantec revealed it had issued 23 dubious test certificates, including three unnamed organisations as well as Google and browser maker Opera.
The problem for Google — and why it’s now threatening tougher action against Symantec — is that after Symantec's admission it found more “questionable” certificates from the company.
So, on October 6, Google decided to share its findings with other root store operators. Though not named, they likely include Microsoft, Apple, Mozilla and Opera, which all removed trust for DigiNotar.
Google’s intent was to allow them to assess and verify its research, according to Ryan Sleevi, a Google software engineer.
But given the fate of DigiNotar, the move turned up the heat on Symantec.
A week later, Symantec produced a report based on yet another audit, revealing it had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered, said Sleeve. Some of the certificates were issued in 2009, a year before Symantec acquired the CA Thawte from Verisign.
In any case, Google isn’t satisfied with Symantec’s response and will now, as far as it can control, put Symantec on a leash.
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency,” said Sleevi.
“In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner,” he said.
Google has also demanded Symantec immediately update its public incident report to explain why it didn’t detect the certificates Google found and why it flattered, as well as a plan for how to prevent a repeat that it can disclose privately to Google.
With the threat of removing trust of Symantec certificates, Google says it also expects the security vendor to undergo an independent security audit to verify that it’s private keys weren’t exposed to employees, which could have abused them.
“We may take further action as additional information becomes available to us,” said Sleevi.
Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.