Google Plans Major Blow for Symantec Certs

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Google has released perhaps its strongest rebuke yet to Symantec over the latter’s CA business, claiming it will reduce trust in the security giant’s certificates in order to restore confidence to Chrome users.

In a lengthy post issued on Thursday, Google engineer Ryan Sleevi explained that an initial investigation into 127 mis-issued certificates subsequently turned up problems with 30,000 certificates, issued over several years.

This comes on top of a previous set of mis-issued certificates which led to the 2015 sacking of several Symantec employees.

Google has consequently resolved to: reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less; require the re-validation and replacement of all currently-trusted Symantec-issued certificates; and temporarily remove EV status for all Symantec-issued certs, for at least a year.

“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” argued Sleevi.

“These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.”

He went on to argue that Symantec had failed to provide timely updates to its customers as problems occurred.

“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” said Sleevi.

“The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”

Venafi chief cybersecurity strategist, Kevin Bocek, argued the case highlights once again how fragile the system of trust for the internet really is.

“This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS – quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this,” he added.

“Google is the 800-pound gorilla on this issue. It is likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies these questionable Symantec certificates because it turns on padlocks that let users know their transaction is secure.”
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Wow, now that's a blow to the head of Symantec. But a natural course of events. Can't really blame Google if this is the truth and not some corporate war games.
 
  • Like
Reactions: frogboy

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
The problem nowadays is the ethics which reflects also on how the services offered and rendered.

Clearly Symantec has a minimal chance to defend themselves once a strong evidence is thrown, remember one of main concerns by customers are privacy and security.
 
  • Like
Reactions: Amelith Nargothrond

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Incredible and bad behavior from Symantec!
I hope they also got well fined since they "allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,”!

I'm still amazed how many big companies manage to do "mistakes", get cought, try to hide it, deny it, don't provide informations and wait to correct the issues...and at the end even get unpunished with it.
 
  • Like
Reactions: Amelith Nargothrond

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top