I. Misissued certificates for example.com
On 2016-07-14, Symantec misissued the following certificates for example.com:
I confirmed with ICANN, the owner of example.com, that they did not
authorize these certificates. These certificates were already revoked
at the time I found them.
II. Suspicious certificates for domains containing the word "test"
On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
domains containing the word "test" which I strongly suspect were
I have not attempted to contact the owners of these domains for
confirmation, as doing so is probably not feasible (many of the domains
are owned by squatters). However, the following facts lead to me to
believe that these certificates were misissued:
1. The subject DNs contain clearly bogus values, such as:
C=KR, ST=1, L=1, O=12, OU=1
C=KR, ST=1, L=1, O=1, OU=1
C=KR, ST=1, L=1, O=12, OU=1
C=KR, ST=Test1, L=Test, O=Test
Note that the misissued example.com certificates also contain C=KR in
2. The third certificate in the list above contains a SAN for
DNS:*.crosscert.com - note that three of the misissued example.com
certificates contain "Crosscert" in their Subject Organization.
3. None of these certificates have been observed in the wild by Censys.
The live certificate for www.test.com was issued by Network Solutions.
4. The first two certificates in the list above both contain DNS SANs
for *all* of the following domains:
With the exception of test4.com and test8.com, these domains are
registered to different entities and appear to be wholly unrelated with
one another in both ownership and operation. It is unlikely that the
owners of these domains would collaborate to authorize these
These certificates were already revoked at the time I found them.
III. Certificates with O=Test
Finally, Symantec has issued a large number of certificates with the
following attributes in the Subject:
C=KR, ST=test, L=test, O=test, OU=test
For more, see:
I doubt there is an organization named "test" located in "test, Korea."
Created attachment 8831038 [details]
Symantec Certificate Problem Report Jan 26 2017.pdf
Update provided by Symantec.
Created attachment 8831929 [details]
Report of Independent Accountant - Certisign
Created attachment 8831930 [details]
CERTSUPERIOR 2016 WebTrust
Created attachment 8831931 [details]
Deloitte Point in Time Certsuperior
Created attachment 8831932 [details]
Deloitte Certsuperior Annex A
Created attachment 8831933 [details]
Symantec Responses to Misissuance Questions Jan 30 2017
Created attachment 8836487 [details]
Symantec Second Response to Misissuance Questions - Feb 12 2017
Created attachment 8838825 [details]
Symantec Third Response to Misissuance Questions Feb 17 2017
Created attachment 8843448 [details]
Symantec Fourth Response to Misissuance Questions Mar 3 2017
Created attachment 8843449 [details]
Created attachment 8856531 [details]
Certisign CY2012 WTCA
Certisign's CY2012 WTCA audit
Created attachment 8856532 [details]
CrossCert 2015-2016 WTBR Audit
WebTrust SSL Baseline for CrossCert 7/2015-6/2016
Created attachment 8856742 [details]
Certsuperior 5-2015 4-2016 Corrected Scope
Previously posted Deloitte audit of Certsuperior incorrectly stated scope as WT SSL Baseline only.
Created attachment 8860216 [details]
Mozilla Feedback Consolidated Responses
Created attachment 8867397 [details]
Aetna WTCA 2015
Created attachment 8867398 [details]
Aetna WTBR 2015
Created attachment 8867735 [details]
Symantec Response to Further Questions from Mozilla
Created attachment 8867892 [details]
SSP PROF Common Policy v1.7
This bug was resolved by the action we decided to take regarding Symantec.