Google is demanding that Symantec must conduct an assessment to ensure it is still eligible to run a certificate authority. The search giant’s scathing statement comes after the security firm was found to have issued a large number of fake digital certificates.
In mid-September, upon Google’s notification, Symantec revealed that its Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for several domains including Google’s and Opera’s. A total of 23 certificates were issued without the domain owners’ knowledge. At the time, Symantec said that these certificates were only created for testing purposes, and were accidentally issued. Google found these domains in its Certificate Transparency system logs.
Following this discovery, Google asked Symantec to conduct a full audit. Upon investigation, Symantec reported an additional 164 bogus certificates spanning 76 domains, and an additional 2,400 test certificates for unregistered domains. The practice of issuing certificates for unregistered domains has been prohibited since April 2014.
In September, the security firm also fired a number of its employees for errors in issuing certificates. The company had said that “employee error” caused cryptographic certificates to be issued online.
The fake certificates, according to Google, make it possible for attackers to impersonate its as well as many other’s websites, potentially leading to data theft and other cybercrimes. “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency,” wrote Ryan Sleevi, Software Engineer at Google in a blog post on Wednesday.
“In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner,” he added.
Symantec seems to be downplaying the threat of the fake certificates. “In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains,” it said in a statement.
“While there is no evidence that any harm was caused to any user or organisation, this type of product testing was not consistent with the policies and standards we are committed to uphold. We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted.”
Google is not pleased, as you can imagine. The company wants Symantec to conduct a further investigation to find how it failed to meet the basic requirements. Symantec must comply with Google’s demands if it wants to be trusted by Google for certificates. In addition it also requires Symantec, beginning June 1, 2016, to log all certificates with Google’s Certificate Transparency mechanism.