Google Tells Symantec to Improve Digital Certificate Security or be branded unsafe
Google is not pleased about security firm Symantec’s recent performance when it comes to issuing secure Web certificates and has asked the it to improve its digital certificate security in order to avoid problems when its certificates are used in the search giant’s products.
In mid-September, Google learned that Symantec’s Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for google.com domains. The certificate, which had not been requested or authorized by Google, was discovered in Certificate Transparency logs, which Chrome requires for all EV certificates issued after January 1, 2015.
When questioned about the same, Symantec said the certificates were only issued for testing purposes by its internal QA team and as such they did not constitute any risk to anybody. However, an audit conducted by the security firm revealed that a total of 23 test certificates were issued for six domains owned by Google, seven owned by Opera, and ten owned by three other organizations.
The initial audit was followed by an investigation which revealed that Symantec has issued additional 164 such faulty certificates covering 76 domains. Furthermore, the company issued more than 2,400 test certificates for unregistered domains, despite the fact that this practice is not allowed since April 2014.
“We are committed to accelerating the adoption of Certificate Transparency logging for all certificates that we issue, by adding support for Organization and Domain Validated certificates, and expect most of that work to be complete by the end of 2015,” Symantec said in its report on the test certificates incident. “We have also begun our annual audit process and are expanding its scope in the wake of these recent instances, in order to ensure we have independent confirmation that no other issues remain. We anticipate the audit will take three to six months, and once it is complete we will share any key findings.”
While Symantec insists that the risk associated with the issuance of the test certificates is minimal, such certificates can be highly valuable in the hands of malicious actors because they can be leveraged to impersonate the domains they cover.
Google is however not happy with Symantec’s answers and has issued a ultimatum to it to mend its ways.
The full list of demands are below:
Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit. The point-in-time assessment will establish Symantec’s conformance to each of these standards:
WebTrust Principles and Criteria for Certification Authorities
WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security
WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL
The third-party security audit must assess:
The veracity of Symantec’s claims that at no time private keys were exposed to Symantec employees by the tool.
That Symantec employees could not use the tool in question to obtain certificates for which the employee controlled the private key.
That Symantec’s audit logging mechanism is reasonably protected from modification, deletion, or tampering, as described in Section 5.4.4 of their CPS.