Google Requires Symantec To Adopt 'Certificate Transparency' Following Rogue Certificate Discoveries

Last month, Google announced that it caught an Extended Validation (EV) pre-certificate for its google.com domain created by Symantec, which it never requested. At the time, Symantec fired some employees, and started an audit of itself to investigate how that happened. This sort of issue is usually taken seriously by browser vendors and has already led to the bankruptcy of other certificate authorities in the past.

The Symantec audit found 23 test certificates created for five other organizations without their knowledge. Google itself found even more, and then after another internal audit, Symantec discovered an additional 164 certificates for 76 domains and 2,458 certificates issued for domains that were never registered.

Google isn't very happy with all of these findings, because it seems Symantec never had a good handle on this. If after some audits, so many false certificates can be found, then the trust in that certificate authority drops significantly.

Earlier this year, Google completely banned China’s root CA from Chrome until it will support the Certificate Transparency system. CT is a kind of a public log system for digital certificates, which makes it much easier to verify their authenticity and whether they have been modified or not.

Google also started requiring all CAs to support CT for EV certificates as of January 1 this year, and it will now require Symantec to support CT for all of its certificates by June 1 2016.

Google said that if Symantec had used CT already for all of its certificates, those problems could have been detected earlier, and greater insight into the cause would have been available.

Google has also requested that Symantec update the public incident report with the following:

  1. A post-mortem analysis that details why they did not detect the additional certificates that we found.
  2. Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.

The company also wanted Symantec to provide it with a set of detailed steps for how it will correct and prevent the identified failures in this certificate creation process, as well as a timeline for when it expects to complete the work.

Google is expecting Symantec to allow a third-party audit and undergo a Point-in-time Readiness Assessment, which will test Symantec's conformance for these standards:

  • WebTrust Principles and Criteria for Certification Authorities
  • WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security
  • WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL

Google wants the third-party audit to establish whether Symantec is telling the truth that its employees didn't have access to the private keys from the certificate creation tool and that they couldn't have obtained certificates for which they had the private key. The third-party audit must also verify whether Symantec's audit logging mechanism is protected from tampering.

Unlike CNNIC, which was immediately banned from the Chrome browser for facilitating the creation of forged certificates, Symantec has been given a chance to prove its certificate business can still be trusted, by submitting to a third-party audit and by adopting the Certificate Transparency system for all of its certificates.

The company has until June 1 to show its commitment to fixing the security and trust problems in its certificate creation process, but if that doesn't happen, Google may be forced to ban Symantec's certificates from Chrome, too.

______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

This thread is closed for comments
9 comments
    Your comment
  • hotroderx
    I think google is getting to big for its self. I mean its great they caught this and want to help make things more secure. At the same time who will police google? I mean chrome is a very widely used browser. Its almost everywhere along with google. What happens when google makes risky choices who will step in and say no... Such as Android Security? Android security is in shambles and the hole blaming the carriers thing really holds no water if you look at it unbiased. Special when there willing to trade blows with someone like Symantec over security concerns. At this point do you really think if Google told someone like Verizon. That they will update the phones with security patches on android. Verizon would say no and risk having android yanked from there phone line up? What would they sell? Its pretty much Android, IOS, or Windows.. that it so yea.. So yea whos watching google again? To me coming down on one company and making demands while they them self's have security concerns is kind of the pot calling the kettle black. Though I do admit both issues are major issues when it comes down to it.
  • jeremy2020
    So you're saying that because security holes exist, we shouldn't have any security? That's a ridiculous idea.

    That's like saying because I don't have a security alarm system in my house, I shouldn't tell you to lock your doors.
  • hotroderx
    Ok that's one way to look at what I wrote but no. What I am trying to say is that company not related to google and with no ties to google should be looking into this. Since goggle doesn't want to clean up the mess that is Android yes Android security is a mess. Then they have no right to tell other companies they have to become more secure lala. That's the problem with google. I remember when the company first started. They where amazing they where the kinda company that you trusted. Now days I feel there is less and less to trust about google. I am positive there are companies dedicated to going out and finding these sorts of problems with web pages and what have you. Google really wanted to what's stopping them from making a donation to one of these companies along with the information then stepping away.

    The over all point of my previous post is simply this... at what point does google stop? What happens if they decide they don't like So and So webpage... and block it from google services? Who is to stop them. While I feel its there right as a company to do as they please. At the same time I think it needs to be regulated how big a company can get otherwise. They become so large there in a position to dictate everything that happens ruling over a market.