Over fake web security certificate' fiasco, Google warns Symantec

  • Over fake web security certificate' fiasco, Google warns Symantec

Over fake web security certificate' fiasco, Google warns Symantec

From June 1 2016, all Symantec-issued certificates will be required to support Google's Certificate Transparency mechanism.

The threat comes after Symantec revealed it had issued thousands of fraudulent security certificates for numerous domains, including Google. Google sent its findings to Symantec, which prompted the company to conduct an additional audit.

"Employee error", Symantec said, is the reason why a number of released certificates left the security firm without the blessing of either Google or Symantec.

But problems arise when companies like Symantec wrongly issue a certificate, potentially allowing anyone to pose as Google or Facebook and intercept their users' communications. The company looked into a security flaw in Google Drive which allowed hackers and scammers to obtain Google clients personal information using fake Google Drive documents and asking users for phone numbers or email and password information.

In September Symantec revealed in a report that it had fired a number of employees for issuing unauthorized TSL certificates for domain names to companies that did not own them. Google gave an ultimatum to the provider of security solutions which might impact Symantec at a global scale.

The bogus certificates had been issued without the domain owners' knowledge, and more were being found in Google's Certificate Transparency system logs, according to Ryan Sleevi, a software engineer with the search giant. The company had said that "employee error" caused cryptographic certificates to be issued online. Firefox-maker Mozilla has examined Google's proposal, and is considering insisting that Symantec do the same for them; others may follow their example.

Google's also pushing Symantec to update its incident report with a post-mortem analysis on why it didn't find the additional certificates and then the details of "each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure".

If after that date newly-issued Symantec certificates do not conform to the Chromium Certificate Transparency policy, Sleevi said it could result in Chrome and other Google products displaying warning interstitials.

These included hiring a third-party to audit its processes that must, among other things, assess the truth of Symantec's claim that the private encryption keys for the Google certificates weren't accessed by other Symantec employees.

"We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted", said a Symantec spokeswoman. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.

Starting June 2, 2016, HTTPS websites that use Symantec's certificates and are unaligned with Google's request will feature warnings about the unsafe content of the page.

Symantec clarified in a prepared comment to SCMagazine.com that it has put additional tools, policy and process safeguards in place to prevent this type of incident from occurring again. A third-party security audit will also be done following the aforementioned procedure to ensure it was transparent and devoid of any irregularities. The company is going to have to eat a few humble pie and publicly admit to every one of its failings to placate the search giant.