Symantec carpeted over dodgy certificates, again

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
You had one job ... and it wasn't letting test certs escape into the wild and then revoking them

Symantec has confirmed that it's revoked another bunch of wrongly-issued certificates.
Andrew Ayer of certificate vendor and wrangler SSLMate went public with his discovery last week. The mis-issued certs were issued for example.com, and a bunch of variations of test.com (test1.com, test2.com and so on).

On Saturday, Symantec's Steve Medin replied: “The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline - these certificates each had "O=test". Our investigation is continuing.”

Medin said the mistake happened at partner WebTrust, and that the company is still investigating what went wrong, adding that Symantec “will report our resolution, cause analysis, and corrective actions once complete”.
Security bods will be watching to see whether there's any other fallout from the latest blunder.

In 2015, Google blockaded certificates from a Symantec root, because it was not complying with the CA/Browser Forum's requirements.
At that time, Symantec hit back saying the certs were mostly used for internal testing, or were issued to a small handful of legacy customers.

Last year, Google brought the long-running question of certificate trust into sharp relief when it launched its Certificate Transparency site, letting the world see the whole list of certs it doesn't trust.

Chinese CA WoSign found itself in an unwelcome spotlight when it issued a cert for GitHub to university
sysadmin Stephen Schrauger. WoSign found itself sent to the naughty corner by Mozilla, Apple, and Google. That company had to promise a reorganisation to get itself back in the world's good graces.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Though this doesn't appear to be a widespread case, every such mis-issuance speaks loud about how even the trusted means of authentication should be audited and be made sure that finding/fixing loopholes in such coordinated procedures must be given equal importance as given to assigning the very certificates in the way it's done currently.
We visit many unknown sites & products (of course a different case) that claim to be X & Y & Z certified, that should not be the clearing factor alone for interpretation. Internet users should also know how to identify the certificates against the fake ones and which other camouflaged signs are a big NO!
 
Last edited:

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The biggest source of high quality false certificates is bribery. The good thing about this is that the acquisition of these by the Blackhats will be expensive and thus not wasted on the likes of you and me (home users) but will instated be targeted at high profile targets (such as Lockheed by the Russians for the purpose of spying, or {name you Bank here} by the Blackhats for the purpose of extortion). But whichever, these when detected will never be made public and will never go into the Wild where the malware that is actually signed by them would have no purpose.

Sure, you may have some low level crap in the Wild, but even the worst AV vendor will jump on these quickly, thereby negating them.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top