Last month, Google announced that it caught an Extended Validation (EV) pre-certificate for its google.com domain created by Symantec, which it never requested. At the time, Symantec fired some employees (opens in new tab), and started an audit of itself to investigate how that happened. This sort of issue is usually taken seriously by browser vendors and has already led to the bankruptcy of other certificate authorities in the past.
The Symantec audit found 23 test certificates created for five other organizations without their knowledge. Google itself found even more, and then after another internal audit, Symantec discovered an additional 164 certificates (opens in new tab) for 76 domains and 2,458 certificates (opens in new tab) issued for domains that were never registered.
Google isn't very happy with all of these findings, because it seems Symantec never had a good handle on this. If after some audits, so many false certificates can be found, then the trust in that certificate authority drops significantly.
Earlier this year, Google completely banned China’s root CA from Chrome until it will support the Certificate Transparency system. CT is a kind of a public log system for digital certificates, which makes it much easier to verify their authenticity and whether they have been modified or not.
Google also started requiring all CAs to support CT for EV certificates as of January 1 this year, and it will now require Symantec to support CT for all of its certificates by June 1 2016.
Google said that if Symantec had used CT already for all of its certificates, those problems could have been detected earlier, and greater insight into the cause would have been available.
Google has also requested that Symantec update the public incident report with the following:
A post-mortem analysis that details why they did not detect the additional certificates that we found.Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
The company also wanted Symantec to provide it with a set of detailed steps for how it will correct and prevent the identified failures in this certificate creation process, as well as a timeline for when it expects to complete the work.
Google is expecting Symantec to allow a third-party audit and undergo a Point-in-time Readiness Assessment, which will test Symantec's conformance for these standards:
WebTrust Principles and Criteria for Certification AuthoritiesWebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network SecurityWebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL
Google wants the third-party audit to establish whether Symantec is telling the truth that its employees didn't have access to the private keys from the certificate creation tool and that they couldn't have obtained certificates for which they had the private key. The third-party audit must also verify whether Symantec's audit logging mechanism is protected from tampering.
Unlike CNNIC, which was immediately banned from the Chrome browser for facilitating the creation of forged certificates, Symantec has been given a chance to prove its certificate business can still be trusted, by submitting to a third-party audit and by adopting the Certificate Transparency system for all of its certificates.
The company has until June 1 to show its commitment to fixing the security and trust problems in its certificate creation process, but if that doesn't happen, Google may be forced to ban Symantec's certificates from Chrome, too.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.
That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.
The over all point of my previous post is simply this... at what point does google stop? What happens if they decide they don't like So and So webpage... and block it from google services? Who is to stop them. While I feel its there right as a company to do as they please. At the same time I think it needs to be regulated how big a company can get otherwise. They become so large there in a position to dictate everything that happens ruling over a market.
Just trying to see your logic here....
So symantic employess created fake google certificates and used them allegedly for testing purposes on the internet and not in a closed lab. The big question is what where they testing that they need a google certificate for?
That's a terrible analogy.
The issue as I see it is who put Google in charge of controlling certificates and handling certificate transparency? It quickly becomes apparent that Google put themselves in charge, by using their dominant browser marketshare as a weapon to strongarm CAs to submit to their CT system.
So what they're doing is good in most regards, but they're overstepping their bounds here by making themselves the world Certificate Authority Authority (CAA). This really should be handled by a consortium instead. If Google, Apple, Microsoft, Firefox, et al had a joint CT group I wouldn't be as concerned.
@ hotroderx the idiots at Symantec tell me my own router's ip address is unsafe! I'm sure this lapse with certifates will bring back the CIA backdoor theory in your internet security! Are you running Norton/Symantec products on your pc(s) hotroderx?