Google Demands Changes After More Rogue Symantec SSL Certs Found

Symantec is in trouble with Google again after finding it had issued over 160 rogue SSL certificates without permission, following a similar incident in September.

Symantec originally published a report last month claiming it had issued 23 certificates without the domain owner’s knowledge, covering five organizations including Google and Opera.

However, Google wasn’t satisfied that was the end of the story as it found “several more questionable certificates” using its Certificate Transparency system, Google software engineer, Ryan Sleevi, explained in a blog post.

“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered,” he said.

“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit.”

As a result, Google will require as of 1 June next year that all Symantec-issued certs support Certificate Transparency for easier logging. If they don’t, Google warned it “may result in interstitials or other problems when used in Google products.”

Symantec has also been asked to provide a post-mortem analysis of why the firm didn’t detect the additional rogue certificates in the first place, as well as “details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.”

The security giant will be required to provide a detailed plan and timeline on what it aims to do to “correct and prevent” the identified failures.

Following that, there’s a requirement for Symantec to complete a point-in-time readiness assessment and a third-party security audit.

In a statement emailed to IDG, Symantec said action had been taken to address the rogue certs that were discovered.

“While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold,” it read.

“We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted.”

What’s Hot on Infosecurity Magazine?