Google warns Symantec to take additional steps on certificate verification

Following a debacle over misissued certificates, Google published a warning blog post to Symantec, essentially telling the company to step up its game or face further action from the tech giant.
Following a debacle over misissued certificates, Google published a warning blog post to Symantec, essentially telling the company to step up its game or face further action from the tech giant.

Following a debacle over misissued certificates, Google published a warning blog post to Symantec, essentially telling the company to step up its game or face further action from the tech giant.

In September, Symantec disclosed that some test certificates were inappropriately issued, and the organizations affected by this error included Google, Opera and three others that wished to remain anonymous, the company wrote in a subsequent report. The report indicated that 23 test certificates were wrongly issued.

Now, Google is reporting that its own investigation yielded the discovery of more “questionable certificates.” Google sent its findings to Symantec, which prompted the company to conduct an additional audit. This audit found that an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that weren't registered.

“It's obviously concerning that a CA [certificate authority] would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,” Google wrote. ”Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.”

Google's also pushing Symantec to update its incident report with a post-mortem analysis on why it didn't find the additional certificates and then the details of “each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.”

Google's requests don't stop there, either. It's asking Symantec to provide a “detailed set of steps” it will take to correct and prevent these flaws, as well as a timeline for when the work will be completed.  After it successfully does all this, the company is also being asked to undergo a Point-in-time Readiness Assessment and third-party security audit. 

Symantec clarified in a prepared comment to SCMagazine.com that it has put additional tools, policy and process safeguards in place to prevent this type of incident from occurring again. It also created plans to begin Certificate Transparency logging of all certificates and found a third-party to evaluate its approach, in addition to expanding the scope of its annual audit.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS