Last month, Google announced that it caught an Extended Validation (EV) pre-certificate for its google.com domain created by Symantec, which it never requested. At the time, Symantec fired some employees, and started an audit of itself to investigate how that happened. This sort of issue is usually taken seriously by browser vendors and has already led to the bankruptcy of other certificate authorities in the past.
The Symantec audit found 23 test certificates created for five other organizations without their knowledge. Google itself found even more, and then after another internal audit, Symantec discovered an additional 164 certificates for 76 domains and 2,458 certificates issued for domains that were never registered.
Google isn't very happy with all of these findings, because it seems Symantec never had a good handle on this. If after some audits, so many false certificates can be found, then the trust in that certificate authority drops significantly.
Earlier this year, Google completely banned China’s root CA from Chrome until it will support the Certificate Transparency system. CT is a kind of a public log system for digital certificates, which makes it much easier to verify their authenticity and whether they have been modified or not.
Google also started requiring all CAs to support CT for EV certificates as of January 1 this year, and it will now require Symantec to support CT for all of its certificates by June 1 2016.
Google said that if Symantec had used CT already for all of its certificates, those problems could have been detected earlier, and greater insight into the cause would have been available.
Google has also requested that Symantec update the public incident report with the following:
- A post-mortem analysis that details why they did not detect the additional certificates that we found.
- Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
The company also wanted Symantec to provide it with a set of detailed steps for how it will correct and prevent the identified failures in this certificate creation process, as well as a timeline for when it expects to complete the work.
Google is expecting Symantec to allow a third-party audit and undergo a Point-in-time Readiness Assessment, which will test Symantec's conformance for these standards:
- WebTrust Principles and Criteria for Certification Authorities
- WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security
- WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL
Google wants the third-party audit to establish whether Symantec is telling the truth that its employees didn't have access to the private keys from the certificate creation tool and that they couldn't have obtained certificates for which they had the private key. The third-party audit must also verify whether Symantec's audit logging mechanism is protected from tampering.
Unlike CNNIC, which was immediately banned from the Chrome browser for facilitating the creation of forged certificates, Symantec has been given a chance to prove its certificate business can still be trusted, by submitting to a third-party audit and by adopting the Certificate Transparency system for all of its certificates.
The company has until June 1 to show its commitment to fixing the security and trust problems in its certificate creation process, but if that doesn't happen, Google may be forced to ban Symantec's certificates from Chrome, too.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.