Compliance Management, Network Security, Privacy, Security Strategy, Plan, Budget

Symantec caught issuing illegit certificates for second time in two years


Independent researcher Andrew Ayer spotted Symantec once again improperly issuing 108 invalidated transport layer security certificates.

The credentials were in strict violation of industry guidelines with nine of the improper certs reportedly issued without the knowledge or permission of the affected domain orders and 99 were issued to companies with data that was obviously fraudulent, according to Jan. 19 blog post.

Ayer reported the issue to the firm and was told by Symantec Policy Manager Steven Medin that the company was investigating and would report on the resolution, cause analysis, and corrective actions once they're completed. Many of the improperly issued certifications were revoked within an hour of being issued but still represent a major violation on Symantec's part.

While the investigation is still ongoing, a Symantec spokesperson told SC Media the certificates in question were issued by the firm's of our WebTrust audited partners.

“We have restricted this partner's issuance privileges while we continue to review this matter,” the spokesperson said. “While most of the listed certificates were already revoked by the partner, Symantec revoked all remaining valid certificates within the 24 hour CA/B Forum guideline. Our investigation is on-going.”

In 2015, Symantec terminated employees involved in issuing unauthorized HTTP certificates for Google webpages prompting Google to warn the firm to take additional steps on certificate verification.

The implications of the unauthorized certificates could have serious consequences for unsuspecting end users.   

“There isn't really anything for consumers to do to protect against this type of threat,” Tripwire Principal Security Researcher Craig Young told SC Media. “This is primarily a matter for the browser forum to respond with appropriate improved controls or sanctions.” He added that Symantec should only be issuing test certificates for domains that they own.

Symantec isn't the only company that has been spotted improperly issuing certificates.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SC Media that he's seen a number of CA's (certificate authorities), including WoSign and GlobalSign, making costly errors over the past year, and that we should expect to see this trend continue.

“The troubling trend of breaches and errors at CAS should serve as a wake-up call for all businesses -- to protect themselves and their customers every organization needs to be able to quickly, detect unauthorized certificates issued by any CA and remove or replace them,” Bocek said.

He maintained that “it's also crucial for businesses to have a plan that does not leave them at the mercy of any one CA.”

Firms need to be agile enough to remove, change or add a CA at a moment's notice and the only way to accomplish this is with automation.

“Businesses that are unprepared to detect and respond to CA errors threaten the integrity of encrypted and authenticated Internet traffic,” Bocek said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.