Search This Blog

Powered by Blogger.

Blog Archive

Labels

Google accuses Symantec of issuing about 30,000 illegit certificates

Problems with certificates began at Symantec in 2015. The Thawte certification center, owned by the company, released fake VDS-unlimited SSL-certificates for gmail.com, google.com and www.google.com domains. It turned out that it was all because of human errors and mistakes. Following the results of the proceedings, Symantec was fired some employees who accidentally allowed the use of fake certificates intended only for internal testing.


But the troubles continued: in early 2017 the representative of SSLMate Andrew Ayer confronted Symantec in issuing illegitimate certificates, in particular for the domains example.com, as well as various variations of test.com (test1.com, test2.com and so on) . Then Symantec stated that the certificates were erroneously released by the company's partners. The privileges of the guilty parties were demoted, and all problem certificates were withdrawn.

Now Google us making new allegations against Symantec. Ryan Sleevi Engineer at the Google Chrome team said that in the near future Chrome will stop trusting the 30,000 certificates issued by Symantec.

Slivi explains that his team was investigating errors committed by Symantec Corporation during the validation of certificates since January 19, 2017 . The investigation of developers began with 127 specific incidents. It soon became clear that at least 30,000 certificates issued in the last few years are troubled. Slivi emphasizes that Symantec has great problems with domain validation because very often peoper checks were not carried out. Symantec also has difficulties with the audit of its own logs. According to Slivi, Symantec employees failed to find cases of issuing certificates to unauthorized parties, and they did not try to improve the validation and verification processes, which are clearly far from perfect.

The engineer of Google writes that Symantec provided access to its infrastructure to at least four third-party organizations which can issue certificates, but the company never carried out proper controlling and supervising their work. Because of this, Symantec's specialists were unable to respond to Google's requests within a given time and provide information regarding incidents.

Now Google plans to withdraw the Extended Validation status for all Symantec certificates. Ban will be imposed for at least one year. Also, the validity period for Symantec certificates that have already been issued will gradually decrease. In addition, all new Symantec certificates will limit to a nine-month shelf life.

Representatives of Symantec have already reacted to these allegations. They said in blog of company that allegations are "exaggerated and unreliable." Representatives of the company report that it can involve about 127 mistaken certificates, but not about 30,000. They said that Slivi's post is "irresponsible" and Google actions are "unexpected", because their company works in accordance with all standards established by Industry, and you can trust it with SSL / TLS-certificates. Symantec emphasizes that mistakenly issued certificates were not carrying harm to users. The company reports that it is open to dialogue and hopes to resolve this situation together with representatives of Google.
Share it: